"Workstation" Product defaults to wide-open firewall

Reindl Harald h.reindl at thelounge.net
Mon Dec 8 13:08:21 UTC 2014

Am 08.12.2014 um 13:56 schrieb Bastien Nocera:
>> Am 08.12.2014 um 13:39 schrieb Bastien Nocera:
>>>> Well, it's in your hands now, and every application developer's hands,
>>>> if RH is going to be turning the default firewall off.
>>> Not Red Hat, Fedora. And it's not off by default either. It's disabled
>>> for user applications, not root ones
>> and that is a problem
>> "user applications" can be any bad code executed by the user start
>> listening on the WAN - guess what is more likely
>> * get a rootkit opening privileged ports
>> * execute code by a careless user
>> mircosoft has learned their lessons after WinXP SP2 and Fedora goes the
>> opposite direction which is very sad
> Rootkit won't require opened *server* ports. It will contact a command server
> through a client port, which requires no special privileges

opening a webserver for malware code for the next spam wave would be one 
example, but it don't matter, if you are there the machine is owned 
anyways and the firewall disabled too

> If you blocked the firewall for user applications, you just made
> the system a pain to use for no security benefits

you just do now know if it is a *intentet* user application acting as 
server until you ask the user - you don't know *anything* until you ask 
the user and be sure and you don't get the point

* even if the users intention is to have that application inside the
   LAN acting as server/P2P that does *not* mean automatically it
   should be open on the WAN, frankly in case of video-streaming
   the user may end in legal trouble as exmaple

* any application reachable from the WAN is dangerous
   just because *any* bug in that application becomes a *remote exploit*

you are just giving up in security because it's not easy enough to 
maintain - make some more steps in that direction and a from scratch 
insteall Windows will be more secure than a Linux system and in fact 
that already happened with that high-ports-open defaults

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141208/700d393e/attachment.sig>

More information about the devel mailing list