"Workstation" Product defaults to wide-open firewall
Reindl Harald
h.reindl at thelounge.net
Mon Dec 8 13:08:21 UTC 2014
Am 08.12.2014 um 13:56 schrieb Bastien Nocera:
>> Am 08.12.2014 um 13:39 schrieb Bastien Nocera:
>>>> Well, it's in your hands now, and every application developer's hands,
>>>> if RH is going to be turning the default firewall off.
>>>
>>> Not Red Hat, Fedora. And it's not off by default either. It's disabled
>>> for user applications, not root ones
>>
>> and that is a problem
>>
>> "user applications" can be any bad code executed by the user start
>> listening on the WAN - guess what is more likely
>>
>> * get a rootkit opening privileged ports
>> * execute code by a careless user
>>
>> mircosoft has learned their lessons after WinXP SP2 and Fedora goes the
>> opposite direction which is very sad
>
> Rootkit won't require opened *server* ports. It will contact a command server
> through a client port, which requires no special privileges
opening a webserver for malware code for the next spam wave would be one
example, but it don't matter, if you are there the machine is owned
anyways and the firewall disabled too
> If you blocked the firewall for user applications, you just made
> the system a pain to use for no security benefits
you just do now know if it is a *intentet* user application acting as
server until you ask the user - you don't know *anything* until you ask
the user and be sure and you don't get the point
* even if the users intention is to have that application inside the
LAN acting as server/P2P that does *not* mean automatically it
should be open on the WAN, frankly in case of video-streaming
the user may end in legal trouble as exmaple
* any application reachable from the WAN is dangerous
just because *any* bug in that application becomes a *remote exploit*
you are just giving up in security because it's not easy enough to
maintain - make some more steps in that direction and a from scratch
insteall Windows will be more secure than a Linux system and in fact
that already happened with that high-ports-open defaults
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141208/700d393e/attachment.sig>
More information about the devel
mailing list