"Workstation" Product defaults to wide-open firewall
william at firstyear.id.au
Tue Dec 9 06:59:21 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
> > I just happened to look at the firewalld default settings, and I
> > was not amused when I noticed this:
> > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > > <port protocol="udp" port="1025-65535"/>
> > > <port protocol="tcp" port="1025-65535"/>
> > This "firewall" is a joke! ALL higher ports are wide open!
I want to point out that for many home users, going into the future this is worse than it seems. Many of us are just thinking about the local network. Firewalld implements these rules not just for ipv4, but ipv6 too. If you have a low quality home router, that just lets ipv6 traffic in, you aren't just exposed to the whole network, but the whole internet. While ipv6 relies somewhat on well configured router firewalls, we cannot guarantee this.
> There are no services listening on upper ports enabled by default,
> all the sharing services in Fedora will require actual enabling. See:
Yes, but it only takes one service to be open to cause issues. Things like pidgin are walking swiss cheese and once you get owned, the attacker has a choice of around 60,000 or more ports to choose from to open a reverse shell up on.
I hope that this shows in summary that this idea is bad. As both a home user and enterprise user of fedora, I cannot accept that this is a default in a workstation product that will one day be used by students and the like.
The worst part is not as much that the ports are open, but by the deception that a user who investigates will see "The firewall is turned on, therefore I have security on incoming traffic". This is a lie with this configuration.
The true crux of this issue is the over complexity that firewalld has brought to fedora, and the fact that a quality UI for managing it does not exist yet.
OSX solves this issue by having an "on or off" button, and a list of applications that are allowed access. When the application first requests access, a prompt is given to add the application to the allow list. Why are we so against such a UI?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the devel