"Workstation" Product defaults to wide-open firewall

Simo Sorce simo at redhat.com
Wed Dec 10 05:08:19 UTC 2014

On Wed, 10 Dec 2014 05:46:32 +0100
Kevin Kofler <kevin.kofler at chello.at> wrote:

> Pete Travis wrote:
> > Lets say I do have an understanding of network basics, just for the
> > sake of argument.  I share my application with you.  The
> > application is intended to listen on the network, you know this and
> > want the application for that purpose.  You run the application, it
> > tries to listen to a network port.
> But as you wrote the application, you know which one, so you just
> tell me the port number, and I open it up in a few clicks in the
> firewall. (Plus, I will also have to set up port forwarding for that
> port in my cable modem's integrated NAT router anyway, so an insecure
> local firewall won't make the application work without you telling me
> the port anyway.) I don't feel inconvenienced at all, it's obvious to
> me. If it were not, you could tell me, or just document what is
> needed in your documentation.

As much as I do not like an insecure default, I think you have not
clear what is the average technical capability of users.

Most users have no idea what NAT, TCP or ports are (nor should they!).
At most they understand *literally* a question like: "do you want this
<application> to be allowed to access the network ?" and you better
name the app in the same way the GUI does it (not the binary name) or
quite a few will be confused about what this is all about.

The problem for the "workstation" people is to build enough
infrastructure to make those simple questions and be able to act on
them, anything in that direction will help, otherwise you are just


Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list