"Workstation" Product defaults to wide-open firewall
Chris Murphy
lists at colorremedies.com
Tue Dec 9 17:39:18 UTC 2014
On Tue, Dec 9, 2014 at 2:08 AM, Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
> On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
>> > > I just happened to look at the firewalld default settings, and I
>> > > was not amused when I noticed this:
>> > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
>> > > > <port protocol="udp" port="1025-65535"/>
>> > > > <port protocol="tcp" port="1025-65535"/>
>> > > This "firewall" is a joke! ALL higher ports are wide open!
>>
>> I want to point out that for many home users, going into the future
>> this is worse than it seems. Many of us are just thinking about the
>> local network. Firewalld implements these rules not just for ipv4, but
>> ipv6 too. If you have a low quality home router, that just lets ipv6
>> traffic in, you aren't just exposed to the whole network, but the whole
>> internet. While ipv6 relies somewhat on well configured router
>> firewalls, we cannot guarantee this.
>
> That is compromise. Of course there are untrustworthy LANs. However we
> shouldn't cripple functionality for users on their trusted lan because
> there may be few users in a LAN they don't trust. If you are in such a
> lan, then I'd expect to switch your firewall's zone. If the installer
> could do that automatically, it would be even better.
If the join wifi UI were to accept one piece of additional metadata
about the connection it's storing: home, work, friend, public, each
connection could be associated with an appropriate firewall zone
automatically. And if the AP is insecure, a rule could set the zone to
public by default.
Typical users don't manually switch firewall zones. They can't even do
this on tablet and mobile devices.
--
Chris Murphy
More information about the devel
mailing list