"Workstation" Product defaults to wide-open firewall

Christian Schaller cschalle at redhat.com
Tue Dec 9 14:50:04 UTC 2014 




----- Original Message -----
> From: "Robert Marcano" <robert at marcanoonline.com>
> To: "Development discussions related to Fedora" <devel at lists.fedoraproject.org>
> Sent: Tuesday, December 9, 2014 8:57:51 AM
> Subject: Re: "Workstation" Product defaults to wide-open firewall
> 
> On 12/09/2014 08:53 AM, Reindl Harald wrote:
> >
> >
> > Am 09.12.2014 um 14:16 schrieb Bastien Nocera:
> >>> On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote:
> >>>> Why we can't have something like this?  And if you don't want a popup
> >>>> asking, have something in the NetworkManager applet menu, where people
> >>>> can easily find the switch without having to search for it?  A "[x]
> >>>> allow sharing" checkbox?  A firewall zone selector?
> >>>
> >>> We can — we just need someone to design and write it.
> >>
> >> A design for something that we don't want to implement.
> >
> > and that is the point - you do not want and care because you seem to
> > think users are too stupid to make their own decisions - you know what
> > Linus said to that in direction of GNOME?
> >
> >> This was one of the
> >> options when implementing the feature, one that we didn't pursue. We
> >> chose
> >> instead to use "user intent" as a way to do this.
> >>
> >> If you start sharing something on a network, then we consider it safe
> >> to share.
> >
> > the problem is that you don't know *who* or *what* opened the port
> 
> Exactly, I think some people think we already reached the utopic world,
> when everyone install FLOSS applications from the repositories, and no
> one uses closed source applications, or worse where all sharing is done
> using GNOME control panel, and there isn't applications that doesn't
> take into account the GNOME way of doing things.
> 
> What I see frequently are applications that are installed from outside
> the Fedora repositories, that can be forced to behave like Fedora
> packaging rules, with secure defaults before sharing, being installed
> and the user that don't know much about firewall settings but understand
> that the firewall is active, then think: I feel "secure" because I know
> the firewall is blocking external requests.

Speaking from personal experience my thoughts was never 'I feel so safe', instead
I just felt annoyed that for the gazilliont time things didn't work due to the firewall 
blocking the application or service or I was trying to run. And after trying to Google and 
only finding Ubuntu specific commands that never seemed to work or commands which was only relevant 
to Fedora 12, I tended to disable the firewall while asking myself while after all these years things
still sucked as much.

Christian


> and then in that utopic world things fail, for example, Fedora packaging
> rules prefer that packages are installed with sensitive defaults, I
> reported a bug about all cron email output being sent by default and it
> was discarded as a security bug (pulled by an update)
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1157727
> https://bugzilla.redhat.com/show_bug.cgi?id=1158493
> https://lists.fedoraproject.org/pipermail/devel/2014-October/203781.html
> 
> This is no open port, but shows that packages can have bugs and
> something that is closed by default today, can in the future be pulled
> as an update and start sharing things. Those are bugs, true, but the
> idea of opening the firewall entirely defeats the measure of defense
> already in place. To me it sounds like disabling SELinux on workstation
> because people find it difficult and decide to disable it instead.
> 
> The problem that is being tried to "solve" is that people choose to
> disable the firewall, Why not add a simple option to the GNOME sharing
> tools to change the firewall zone to this one where ports >1024 are open
> when the user decide to share something. with the possibility to
> selecting no for those people that only want to open the only the needed
> ports?
> 
> Note: I hope to not be called a troll here (joke, someone will understand)
> 
> >
> >> If you connect to a public unencrypted Wi-Fi, you won't have the
> >> option to. If
> >> you connect to an encrypted Wi-Fi where sharing your holiday photos
> >> isn't acceptable
> >> then it won't, because you didn't ask it to in the first place
> >
> > besides suspend / move machine
> >
> > a sane firewall design (sadly Windows has that in the meantime) is that
> > if i open a port in my homenetwork, supsend the machine and wake it up
> > in a foreign network ports are closed until i decide to open them there
> > too, but Fedora goes the easy way "who cares how and why as long things
> > appear to work"
> >
> > *who* told you that people don't share things *unintentional* by a wrong
> > click which is *not* a problem until you decide to open ports
> >
> >
> >
> 
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list