"Workstation" Product defaults to wide-open firewall
Kevin Kofler
kevin.kofler at chello.at
Tue Dec 9 02:34:45 UTC 2014
Bastien Nocera wrote:
> ----- Original Message -----
>> Bastien Nocera wrote:
>> > Security is about compromises. The net result of the old firewall
>> > settings was people disabling the firewall.
>>
>> And the net result of the new firewall settings is you disabling the
>> firewall for them,
>
> It's not disabled.
It effectively is, as I had already explained, and Harald Reindl has now
explained too.
Your "solution" to people disabling the firewall is like "solving" the car
speeding problem by setting the maximum speed to 500 km/h. Rationale: "The
net result of the old [speed limits] was people [not respecting them]." Now
everybody is respecting the speed limit (= keeping the firewall "enabled"),
nobody is "speeding" (= "disabling the firewall") anymore… except that all
the benefits from speed limits (= the firewall) are completely gone (because
people are still effectively speeding = disabling the firewall, you just
changed the definition)! It's the same with your firewall settings.
>> and also for all those people out there (like me) who
>> were NOT disabling the firewall. (Thankfully, I'm not using the GNOME
>> Workstation, nor firewalld (but the old iptables.service), so I won't get
>> this "improvement".)
>
> So why are you complaining exactly?
Because Fedora is aggressively marketing a Product with a major security
vulnerability as its primary Product.
> So what you call "no firewall" would actually have prevented the potential
> security hole.
But it wouldn't have prevented any such hole with a higher port, which can
be opened by anyone. Services running as root can and do also bind such
ports (there is of course nothing restricting root to privileged ports), so
it can even lead to remote root exploits.
Kevin Kofler
More information about the devel
mailing list