"Workstation" Product defaults to wide-open firewall
william at firstyear.id.au
Tue Dec 9 13:10:42 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 09 Dec 2014 10:08:06 +0100
Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
> On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
> > > > I just happened to look at the firewalld default settings, and I
> > > > was not amused when I noticed this:
> > > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > > > > <port protocol="udp" port="1025-65535"/>
> > > > > <port protocol="tcp" port="1025-65535"/>
> > > > This "firewall" is a joke! ALL higher ports are wide open!
> > I want to point out that for many home users, going into the future
> > this is worse than it seems. Many of us are just thinking about the
> > local network. Firewalld implements these rules not just for ipv4,
> > but ipv6 too. If you have a low quality home router, that just lets
> > ipv6 traffic in, you aren't just exposed to the whole network, but
> > the whole internet. While ipv6 relies somewhat on well configured
> > router firewalls, we cannot guarantee this.
> That is compromise. Of course there are untrustworthy LANs. However we
> shouldn't cripple functionality for users on their trusted lan because
> there may be few users in a LAN they don't trust. If you are in such a
> lan, then I'd expect to switch your firewall's zone. If the installer
> could do that automatically, it would be even better.
Can you personally, with 100% confidence tell me you completely understand the inner workings and firewall of your home? Your work? Have you pen tested them? Are you sure that they are open in some way you don't expect? If you answer no to any of these, you should probably reconsider how open your systems firewall is.
I think that sacrificing security for convinence is not an option. Sometimes security can be hard, and the convinence look nice, but I want to strongly reiterate that the solution is not to open all ports and fool our users, but to create a secure by default os, that gives users control of that. If that means we need to face the hard truths and write some code to make a better firewalld ui, then so be it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the devel