"Workstation" Product defaults to wide-open firewall

Chris Murphy lists at colorremedies.com
Tue Dec 9 17:39:18 UTC 2014

On Tue, Dec 9, 2014 at 2:08 AM, Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
> On Tue, 2014-12-09 at 17:29 +1030, William B wrote:
>> > > I just happened to look at the firewalld default settings, and I
>> > > was not amused when I noticed this:
>> > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
>> > > >  <port protocol="udp" port="1025-65535"/>
>> > > >  <port protocol="tcp" port="1025-65535"/>
>> > > This "firewall" is a joke! ALL higher ports are wide open!
>> I want to point out that for many home users, going into the future
>> this is worse than it seems. Many of us are just thinking about the
>> local network. Firewalld implements these rules not just for ipv4, but
>> ipv6 too. If you have a low quality home router, that just lets ipv6
>> traffic in, you aren't just exposed to the whole network, but the whole
>> internet. While ipv6 relies somewhat on well configured router
>> firewalls, we cannot guarantee this.
> That is compromise. Of course there are untrustworthy LANs. However we
> shouldn't cripple functionality for users on their trusted lan because
> there may be few users in a LAN they don't trust. If you are in such a
> lan, then I'd expect to switch your firewall's zone. If the installer
> could do that automatically, it would be even better.

If the join wifi UI were to accept one piece of additional metadata
about the connection it's storing: home, work, friend, public, each
connection could be associated with an appropriate firewall zone
automatically. And if the AP is insecure, a rule could set the zone to
public by default.

Typical users don't manually switch firewall zones. They can't even do
this on tablet and mobile devices.

Chris Murphy

More information about the devel mailing list