"Workstation" Product defaults to wide-open firewall

Bastien Nocera bnocera at redhat.com
Tue Dec 9 13:23:46 UTC 2014 


----- Original Message -----
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Tue, 09 Dec 2014 10:08:06 +0100
> Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
> 
> > On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
> > > > > I just happened to look at the firewalld default settings, and I
> > > > > was not amused when I noticed this:
> > > > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > > > > >  <port protocol="udp" port="1025-65535"/>
> > > > > >  <port protocol="tcp" port="1025-65535"/>
> > > > > This "firewall" is a joke! ALL higher ports are wide open!
> > > 
> > > I want to point out that for many home users, going into the future
> > > this is worse than it seems. Many of us are just thinking about the
> > > local network. Firewalld implements these rules not just for ipv4,
> > > but ipv6 too. If you have a low quality home router, that just lets
> > > ipv6 traffic in, you aren't just exposed to the whole network, but
> > > the whole internet. While ipv6 relies somewhat on well configured
> > > router firewalls, we cannot guarantee this.
> > 
> > That is compromise. Of course there are untrustworthy LANs. However we
> > shouldn't cripple functionality for users on their trusted lan because
> > there may be few users in a LAN they don't trust. If you are in such a
> > lan, then I'd expect to switch your firewall's zone. If the installer
> > could do that automatically, it would be even better.
> > 
> 
> Can you personally, with 100% confidence tell me you completely understand
> the inner workings and firewall of your home? Your work? Have you pen tested
> them? Are you sure that they are open in some way you don't expect? If you
> answer no to any of these, you should probably reconsider how open your
> systems firewall is.
> 
> I think that sacrificing security for convinence is not an option. Sometimes
> security can be hard, and the convinence look nice, but I want to strongly
> reiterate that the solution is not to open all ports and fool our users, but
> to create a secure by default os, that gives users control of that. If that
> means we need to face the hard truths and write some code to make a better
> firewalld ui, then so be it.

To do that, you would need to understand that security isn't a black and white
thing, it's different shades of gray. You also didn't consider privacy into the
mix, which is related to security, but different from it.

If by opening up some ports that would have hampered the user, rather than protect
them[1], we avoid the users disabling the firewall, and exposing security critical
services (such as exposing rpcbind, or ntpd, or any other root service), then it's
a win for me.

[1]: I haven't seen anything but arm-flailing on that issue. If somebody wants to
go into details about what a server running inside the user's session would be
able to do that a client wouldn't be able to, feel free.

More information about the devel mailing list