"Workstation" Product defaults to wide-open firewall

[Stephen Gallagher]

On Tue, 2014-12-09 at 08:23 -0500, Bastien Nocera wrote:
> 
> ----- Original Message -----
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On Tue, 09 Dec 2014 10:08:06 +0100
> > Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
> > 
> > > On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
> > > > > > I just happened to look at the firewalld default settings, and I
> > > > > > was not amused when I noticed this:
> > > > > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
> > > > > > >  <port protocol="udp" port="1025-65535"/>
> > > > > > >  <port protocol="tcp" port="1025-65535"/>
> > > > > > This "firewall" is a joke! ALL higher ports are wide open!
> > > > 
> > > > I want to point out that for many home users, going into the future
> > > > this is worse than it seems. Many of us are just thinking about the
> > > > local network. Firewalld implements these rules not just for ipv4,
> > > > but ipv6 too. If you have a low quality home router, that just lets
> > > > ipv6 traffic in, you aren't just exposed to the whole network, but
> > > > the whole internet. While ipv6 relies somewhat on well configured
> > > > router firewalls, we cannot guarantee this.
> > > 
> > > That is compromise. Of course there are untrustworthy LANs. However we
> > > shouldn't cripple functionality for users on their trusted lan because
> > > there may be few users in a LAN they don't trust. If you are in such a
> > > lan, then I'd expect to switch your firewall's zone. If the installer
> > > could do that automatically, it would be even better.
> > > 
> > 
> > Can you personally, with 100% confidence tell me you completely understand
> > the inner workings and firewall of your home? Your work? Have you pen tested
> > them? Are you sure that they are open in some way you don't expect? If you
> > answer no to any of these, you should probably reconsider how open your
> > systems firewall is.
> > 
> > I think that sacrificing security for convinence is not an option. Sometimes
> > security can be hard, and the convinence look nice, but I want to strongly
> > reiterate that the solution is not to open all ports and fool our users, but
> > to create a secure by default os, that gives users control of that. If that
> > means we need to face the hard truths and write some code to make a better
> > firewalld ui, then so be it.
> 
> To do that, you would need to understand that security isn't a black and white
> thing, it's different shades of gray. You also didn't consider privacy into the
> mix, which is related to security, but different from it.
> 
> If by opening up some ports that would have hampered the user, rather than protect
> them[1], we avoid the users disabling the firewall, and exposing security critical
> services (such as exposing rpcbind, or ntpd, or any other root service), then it's
> a win for me.
> 
> [1]: I haven't seen anything but arm-flailing on that issue. If somebody wants to
> go into details about what a server running inside the user's session would be
> able to do that a client wouldn't be able to, feel free.


Just to answer that, you're assuming that the only risk is to the local
machine. A service running in a local user session can be opening a port
for a command-and-control server somewhere out on the internet to use
the machine as a bot-net. That's likely not going to have much of an
effect on your local machine (besides increasing load), but it *is* a
security concern.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/f1b94a32/attachment.sig>