"Workstation" Product defaults to wide-open firewall
Bastien Nocera
bnocera at redhat.com
Mon Dec 8 16:10:01 UTC 2014
----- Original Message -----
> Bastien Nocera wrote:
> > Security is about compromises. The net result of the old firewall settings
> > was people disabling the firewall.
>
> And the net result of the new firewall settings is you disabling the
> firewall for them,
It's not disabled.
> and also for all those people out there (like me) who
> were NOT disabling the firewall. (Thankfully, I'm not using the GNOME
> Workstation, nor firewalld (but the old iptables.service), so I won't get
> this "improvement".)
So why are you complaining exactly?
> > The new firewall settings were vouched for by the firewalld folks, and
> > provide good defaults for most users.
>
> The new firewall settings essentially amount to disabling the firewall.
It doesn't.
> The only ports they protect are those controlled by root anyway, and there
> is nothing listening on those ports by default (except SSH, which your
> firewall rules also let through, but that was already the case before).
There's a few more items that will be opened I'm afraid. And one of the reasons
why we block root ports is to avoid regressions like rpcbind listening
by default, which was due to a bug in packaging. So what you call "no firewall"
would actually have prevented the potential security hole.
More information about the devel
mailing list