"Workstation" Product defaults to wide-open firewall
Kevin Kofler
kevin.kofler at chello.at
Tue Dec 9 18:27:48 UTC 2014
Przemek Klosowski wrote:
> I think that we should start with the low hanging fruit and simplify the
> firewall zones to two : a public, restricted one and a home/private with
> more ports open; selected by user for each new interface.
Those 2 zones are basically what is defined now with that Workstation
configuration, the problem is that the default is the trusted zone, whereas
the default should be untrusted. (Secure by default.) And I also disagree
that opening ALL unprivileged ports is a sane implementation of the
home/private zone, it's trusting it almost completely.
And finally, I believe that if we do ship a trusted zone in Fedora (which,
as per the above, should NOT be the default as it is now in Workstation), it
should be defined by the firewalld maintainer(s) (the current one was
defined by the Workstation WG) and shipped by the stock firewalld package
(not a product-specific subpackage). Doing this per product is a totally
broken approach.
Kevin Kofler
More information about the devel
mailing list