"Workstation" Product defaults to wide-open firewall

William B william at firstyear.id.au
Tue Dec 9 06:59:21 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > I just happened to look at the firewalld default settings, and I
> > was not amused when I noticed this:
> > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > >  <port protocol="udp" port="1025-65535"/>
> > >  <port protocol="tcp" port="1025-65535"/>
> > This "firewall" is a joke! ALL higher ports are wide open!

I want to point out that for many home users, going into the future this is worse than it seems. Many of us are just thinking about the local network. Firewalld implements these rules not just for ipv4, but ipv6 too. If you have a low quality home router, that just lets ipv6 traffic in, you aren't just exposed to the whole network, but the whole internet. While ipv6 relies somewhat on well configured router firewalls, we cannot guarantee this.


> 
> There are no services listening on upper ports enabled by default,
> all the sharing services in Fedora will require actual enabling. See:
> http://www.hadess.net/2014/06/firewalls-and-per-network-sharing.html

Yes, but it only takes one service to be open to cause issues. Things like pidgin are walking swiss cheese and once you get owned, the attacker has a choice of around 60,000 or more ports to choose from to open a reverse shell up on. 



I hope that this shows in summary that this idea is bad. As both a home user and enterprise user of fedora, I cannot accept that this is a default in a workstation product that will one day be used by students and the like. 

The worst part is not as much that the ports are open, but by the deception that a user who investigates will see "The firewall is turned on, therefore I have security on incoming traffic". This is a lie with this configuration.


The true crux of this issue is the over complexity that firewalld has brought to fedora, and the fact that a quality UI for managing it does not exist yet.

OSX solves this issue by having an "on or off" button, and a list of applications that are allowed access. When the application first requests access, a prompt is given to add the application to the allow list. Why are we so against such a UI?

- -- 
Sincerely,

William Brown

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUhp3JAAoJEO/EFteBqAmaduEP/3Y01L7jUgo0OljnS2pQVUUn
jdYbfUBchuPMO3sOEV7aryzMiKxtVE24vLklD7yN2O7VC+5KEVN29VyjiAI73IeH
A3llYnDiGBzcx4EYorNH39PQuolsvplYFvNYz+WrreccYbWnyAr79bVUSBHYSA4C
vSz3k2jFcl7TB3MozV5tV2OThv/7fKSEeYQwOVGaCRE4wnwedwu/mbaqQMd1QlJf
AN7BVvvNU+oYBFpNPcL0RTKR2cXwoQWT66Yb+GPVnYbgLYpPqVTumPZACtlo1ltu
IVW/pLBd2porYXM8gRfFovEwUv2LfOJOHapesz3iaGmt1DCk7dxNm6T2Mg08HPD4
rGgPAfU5awer/jTCwpjkydZe2JvzVm+BrpvYxAG61mHpRh7Cve8lYzbo14E54gVI
NYT+TjHvlxFiTwONYMNkOxP88G7UlKmzWXKJRFLYeh5x6TB3pm8HPUjEkeEdfD6V
ES/4DF2OmST6YanIJ0QMNEwB2xK+nNOP6EPCm9HofI1TeoxnyvWqgX2j5saWgPbi
pkN5KrvL8M2xecXG7ZgSTyDyvrhUJlE0T8M+yf4T8+Q+FiY9wX7ug0cxmPgCf4UB
wIZPIAtqjgD8wYDTcNjjXhN8e9Ytckvyk2YjUNX4uUG3R8NZUUJptJuyXHBkct9x
sJkYBC+bun9YprSqgWkF
=H8FB
-----END PGP SIGNATURE-----

More information about the devel mailing list