"Workstation" Product defaults to wide-open firewall

Kevin Kofler kevin.kofler at chello.at
Tue Dec 9 18:27:48 UTC 2014

Przemek Klosowski wrote:
> I think that we should start with the low hanging fruit and simplify the
> firewall zones to two : a public, restricted one and a home/private with
> more ports open; selected by user for each new interface.

Those 2 zones are basically what is defined now with that Workstation 
configuration, the problem is that the default is the trusted zone, whereas 
the default should be untrusted. (Secure by default.) And I also disagree 
that opening ALL unprivileged ports is a sane implementation of the 
home/private zone, it's trusting it almost completely.

And finally, I believe that if we do ship a trusted zone in Fedora (which, 
as per the above, should NOT be the default as it is now in Workstation), it 
should be defined by the firewalld maintainer(s) (the current one was 
defined by the Workstation WG) and shipped by the stock firewalld package 
(not a product-specific subpackage). Doing this per product is a totally 
broken approach.

        Kevin Kofler

More information about the devel mailing list