"Workstation" Product defaults to wide-open firewall

Kevin Kofler kevin.kofler at chello.at
Tue Dec 9 02:34:45 UTC 2014

Bastien Nocera wrote:
> ----- Original Message -----
>> Bastien Nocera wrote:
>> > Security is about compromises. The net result of the old firewall
>> > settings was people disabling the firewall.
>> And the net result of the new firewall settings is you disabling the
>> firewall for them,
> It's not disabled.

It effectively is, as I had already explained, and Harald Reindl has now 
explained too.

Your "solution" to people disabling the firewall is like "solving" the car 
speeding problem by setting the maximum speed to 500 km/h. Rationale: "The 
net result of the old [speed limits] was people [not respecting them]." Now 
everybody is respecting the speed limit (= keeping the firewall "enabled"), 
nobody is "speeding" (= "disabling the firewall") anymore… except that all 
the benefits from speed limits (= the firewall) are completely gone (because 
people are still effectively speeding = disabling the firewall, you just 
changed the definition)! It's the same with your firewall settings.

>> and also for all those people out there (like me) who
>> were NOT disabling the firewall. (Thankfully, I'm not using the GNOME
>> Workstation, nor firewalld (but the old iptables.service), so I won't get
>> this "improvement".)
> So why are you complaining exactly?

Because Fedora is aggressively marketing a Product with a major security 
vulnerability as its primary Product.

> So what you call "no firewall" would actually have prevented the potential
> security hole.

But it wouldn't have prevented any such hole with a higher port, which can 
be opened by anyone. Services running as root can and do also bind such 
ports (there is of course nothing restricting root to privileged ports), so 
it can even lead to remote root exploits.

        Kevin Kofler

More information about the devel mailing list