"Workstation" Product defaults to wide-open firewall

Stephen Gallagher sgallagh at redhat.com
Mon Dec 8 21:01:08 UTC 2014




On Mon, 2014-12-08 at 07:41 +0100, Kevin Kofler wrote:
> Hi,
> 
> I just happened to look at the firewalld default settings, and I was not 
> amused when I noticed this:
> http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> >  <port protocol="udp" port="1025-65535"/>
> >  <port protocol="tcp" port="1025-65535"/>
> This "firewall" is a joke! ALL higher ports are wide open!
> 
> There had been a prior discussion on this list where they wanted to disable 
> the firewall entirely. We told them that that's a horrible idea (which it 
> is, of course!). But the result is that they implemented this "solution" 
> which is almost entirely as bad, and which additionally gives users a false 
> sense of security, because a "firewall" is "enabled" (for a very twisted 
> definition of "enabled").
> 
> IMHO, this is a major security issue that MUST be fixed. It also shows what 
> horribly bad an idea per-Product configuration is.
> 
> Yet another reason why you should NOT use "--product=workstation" to upgrade 
> your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the 
> "Workstation Product", or upgrading to it, will leave you with a totally 
> insecure system.


sudo firewall-cmd --set-default-zone=FedoraServer
That will limit it to SSH, DHCPv6 and cockpit

Or use default zone "Public", which swaps cockpit out and adds mDNS

Or if you're "Reindl Harald"-level paranoid (no offense intended, Harald
but you're the most paranoid sysadmin I know, even more than me):

sudo firewall-cmd --set-default-zone=block



As someone else mentioned very deep in this thread, you can also do this
in a GUI-centric way inside the preferences for the individual network
connections in the Network Manager settings. It's under the "Identity"
grouping. Here you can set a different default zone for each interface.
(This can be done at the command-line also; the above commands just set
the default zone for all interfaces if not individually overridden)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141208/1a054a13/attachment.sig>


More information about the devel mailing list