"Workstation" Product defaults to wide-open firewall

William B william at firstyear.id.au
Tue Dec 9 13:10:42 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 09 Dec 2014 10:08:06 +0100
Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:

> On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
> > > > I just happened to look at the firewalld default settings, and I
> > > > was not amused when I noticed this:
> > > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > > > >  <port protocol="udp" port="1025-65535"/>
> > > > >  <port protocol="tcp" port="1025-65535"/>
> > > > This "firewall" is a joke! ALL higher ports are wide open!
> > 
> > I want to point out that for many home users, going into the future
> > this is worse than it seems. Many of us are just thinking about the
> > local network. Firewalld implements these rules not just for ipv4,
> > but ipv6 too. If you have a low quality home router, that just lets
> > ipv6 traffic in, you aren't just exposed to the whole network, but
> > the whole internet. While ipv6 relies somewhat on well configured
> > router firewalls, we cannot guarantee this.
> 
> That is compromise. Of course there are untrustworthy LANs. However we
> shouldn't cripple functionality for users on their trusted lan because
> there may be few users in a LAN they don't trust. If you are in such a
> lan, then I'd expect to switch your firewall's zone. If the installer
> could do that automatically, it would be even better.
> 

Can you personally, with 100% confidence tell me you completely understand the inner workings and firewall of your home? Your work? Have you pen tested them? Are you sure that they are open in some way you don't expect? If you answer no to any of these, you should probably reconsider how open your systems firewall is.

I think that sacrificing security for convinence is not an option. Sometimes security can be hard, and the convinence look nice, but I want to strongly reiterate that the solution is not to open all ports and fool our users, but to create a secure by default os, that gives users control of that. If that means we need to face the hard truths and write some code to make a better firewalld ui, then so be it.


- -- 
Sincerely,

William Brown

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUhvTSAAoJEO/EFteBqAmal44QAL3P0aVXGwoFzJbqpJI6EVjQ
QvCHacmmgPpaCo0gs71SUdDWt0ku53ywCdPBatnEo/umLHCwRqS2UrgodGONnx8r
bCAeyt6VADoxu50cYIQ/k/eHLz54fkr/QlkUq31wGzgM47lHASYpOmenIYHepCTD
uEjt3SOeByPWyvoa5WOuKe7NkixvOutazYVhSqZvsPkgYaDqwzDi/MMP1ClMVNtm
m5E4h0WYbiYVYmIvbkbfu60s12/jnVhfvMdyYSA3ZdGenjuz413EYTxpCtaLpyci
om4YSN9D18vDGWrUMNeX56r2p1u3ZvL+a+fFRtWE7cJq4tEG8ix4/sr3wpR1JtPg
xsU6+PdPW9RMGcbeeQ5BHc5w1SB6fWQvhEkx3XeLaeD5htEq3c+FqVaSlo8yQDMj
/1x8QMwVDVmlbeA8vkvcwAsdO5jRok/R57Rj7r076v3laQp4QCVf9dURHuJ95pCP
m3Ln2TguVOohV6jtMPtvCrqJQ1C1VUeSkCWTPo9kW4PgiN4O8w0EbBjB6M9B4GZB
0GjrKVJx4SPRK5sJfSL9HFSYEqvvudmGcij8swjjKldiVd/t4Y1bHyY7z4j2TvVp
uNoN3/eZDR5rbkvlcBwoT82NStzpLEpPBIw3Znw7g2gp8jQLH5Xt7XM7Pa30v2Iv
ZvR2kTt08xqjGzXeLYUi
=6dr/
-----END PGP SIGNATURE-----

More information about the devel mailing list