"Workstation" Product defaults to wide-open firewall

Nikos Mavrogiannopoulos nmav at redhat.com
Tue Dec 9 09:08:06 UTC 2014

On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
> > > I just happened to look at the firewalld default settings, and I
> > > was not amused when I noticed this:
> > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > > >  <port protocol="udp" port="1025-65535"/>
> > > >  <port protocol="tcp" port="1025-65535"/>
> > > This "firewall" is a joke! ALL higher ports are wide open!
> I want to point out that for many home users, going into the future
> this is worse than it seems. Many of us are just thinking about the
> local network. Firewalld implements these rules not just for ipv4, but
> ipv6 too. If you have a low quality home router, that just lets ipv6
> traffic in, you aren't just exposed to the whole network, but the whole
> internet. While ipv6 relies somewhat on well configured router
> firewalls, we cannot guarantee this.

That is compromise. Of course there are untrustworthy LANs. However we
shouldn't cripple functionality for users on their trusted lan because
there may be few users in a LAN they don't trust. If you are in such a
lan, then I'd expect to switch your firewall's zone. If the installer
could do that automatically, it would be even better.


More information about the devel mailing list