"Workstation" Product defaults to wide-open firewall
Kevin Kofler
kevin.kofler at chello.at
Tue Dec 9 00:28:42 UTC 2014
Matthew Miller wrote:
> Whether you agree or not, reasonable people argue that a host-based packet
> filter isn't really a meaningful increase in security. I don't think we're
> _really_ leaving the security emphasis behind.
And I argue that the firewall is by far the most important security
mechanism we have available, and a lot more effective than SELinux, which we
are forcing on all our Spins. Instead of merely trying to limit the damage
an intruder can do, it's a lot safer (and also less annoying to legitimate
users) to not let them intrude in the first place.
How do you protect your house or apartment from thieves? Do you:
(a) … lock your entrance door? or
(b) … put locks on every single valuable item to keep it from being removed?
A firewall does (a), SELinux does (b).
> On Mon, Dec 08, 2014 at 03:20:30PM -0500, Mike Pinkerton wrote:
>> Perhaps the Workstation team thought that opening up the firewall
>> defaults was the best compromise. I disagree. Perhaps a better
>> compromise would have been to leave the old defaults in place, and
>> add a new pre-configured "more open" zone for those who want fewer
>> constraints.AAAA
>
> Wait, my last paragraph was a great end to a long message :) but I need
> to also add: please take a look at the actual implementation. The above
> suggestion is _exactly_ what was done.
Uh no, it was not.
1. The default zone is the insecure one. Mike Pinkerton says that the
default zone should be the secure one, and the insecure one opt-in, not
opt-out (and I agree with him).
2. The tool to change to a secure firewall zone isn't even installed by
default.
Kevin Kofler
More information about the devel
mailing list