"Workstation" Product defaults to wide-open firewall

Reindl Harald h.reindl at thelounge.net
Mon Dec 8 12:09:17 UTC 2014 


Am 08.12.2014 um 13:02 schrieb Aleksandar Kurtakov:
> ----- Original Message -----
>> From: "Reindl Harald" <h.reindl at thelounge.net>
>> To: devel at lists.fedoraproject.org
>> Sent: Monday, December 8, 2014 1:26:29 PM
>> Subject: Re: "Workstation" Product defaults to wide-open firewall
>>
>> Am 08.12.2014 um 12:22 schrieb Bastien Nocera:
>>>> Am 08.12.2014 um 11:45 schrieb Bastien Nocera:
>>>>>> Well, I'll understand these aspects.
>>>>>>
>>>>>> But when I think about Linux, especially about Fedora, I'm thinking
>>>>>> about the freedom to make decisions. This means to me, to customize
>>>>>> and take advantage of my computer and in this case my operating system.
>>>>>
>>>>> You're free to select another firewall zone
>>>>
>>>> so why do you not make secure defaults and say "You're free to select
>>>> another (more unsecure) firewall zone"?
>>>
>>> 1) It is secure enough and Eclipse listening to a port by default is a bug
>>> (and I have the firewall specialists at Red Hat/Fedora to back me up)
>>> 2) Good defaults
>>
>> again: the *purpose* of a Firewall is to protect from application bugs
>> or unintentional user faults - frankly the early KDE4 setups in 2008 had
>> a ton of 0.0.0.0 listenining high ports, that where indeed a bug and
>> hence a firewall to protect the user against such bugs
>>
>> it is not a bug that "ZendStudio" is listening on a high UDP port for
>> license verification (only one instance in the same network via broadcasts)
>>
>> it is intentional by the software
>
> I'm not going to comment what is good, what is intentional and etc.
> All I'm asking for is for precise wording aka when something is done by ZendStudion or any other Eclipse plugin is to name it unless it's something that Eclipse Platform/RCP does.
> As both Fedora and upstream Eclipse platform developer I really care about negative press we get because of such statements. "Eclipse listens on some port by default" translates into "Eclipse is insecure" and etc. is entirely not-true. We have a very strict privacy policy (http://www.eclipse.org/legal/privacy.php and http://wiki.eclipse.org/Policies/Uploading_and_Downloading_from_Eclipse_Software_Policy) so I sincerely ask people to not spread false statements like the one.

the point is not Eclipse

it was just an example of "netstat -l" as user and that the purpose of 
an OS is *not* to have defaults only sane in a default install

any application running as user can open a high port
that's the purpose of non-privileged ports

that means finally *any* bad piece of code with the current settings can 
open a listening port and contacted from a botnet *directly* instead 
open a active connection to the outside (which is bad enough)

spammer will love that opportunity because they need no longer to rely 
on single points easy taken offline where the bot-nodes connect to, no 
they just need to send their commands directly to the machines

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141208/10dadd26/attachment.sig>

More information about the devel mailing list