"Workstation" Product defaults to wide-open firewall

Bastien Nocera bnocera at redhat.com
Wed Dec 10 11:47:50 UTC 2014 


----- Original Message -----
> On 10 December 2014 at 00:43, Bastien Nocera <bnocera at redhat.com> wrote:
> >
> >
> > ----- Original Message -----
> >> On 9 December 2014 at 13:47, Matthew Miller <mattdm at fedoraproject.org>
> >> wrote:
> >> > On Tue, Dec 09, 2014 at 01:11:33PM +0000, Ian Malone wrote:
> >> >> > have a proposal for a new spin focused on privacy and security — the
> >> >> > Netizen Spin. (If you're interested, I think that could use
> >> >> > additional
> >> >> > contributors.)
> >> >> I was under the impression spins were to be phased out. I could be
> >> >> wrong, the discussion was about the time of the product proposal.
> >> >
> >> > That's wrong; the clear outcome of that discussion was that we want to
> >> > keep them, and provide more flexiblity and opportunity for spins
> >> > maintainers as well.
> >> >
> >>
> >> Well that's some good news to come out of this at least.
> >>
> >> > Everyone knows that there are improvements to be made, but it's _not_
> >> > an easy problem. Contributions are welcome towards making that better
> >> > for F22 and beyond. (Use cases. Design mockups. Code....)
> >> >
> >>
> >> Rather time poor at the moment and not a gnome developer
> >> unfortunately. Does rather sound like things like rygel need fixed,
> >> but as I have no intention of ever using it I'm not highly motivated
> >> to do something about it.
> >
> > Just like Reindl you make the mistake of thinking that rygel needs to be
> > fixed
> > or that it's the only service impacted by this scheme. It's not, and it was
> > pointed out in earlier mails.
> >
> 
> You're sniping at me now, and making assumptions. So I get to do this,
> please read the fedora code of conduct and be awesome!
> http://fedoraproject.org/code-of-conduct

Given the amount of time I've thrown into this dead-end thread, I think
I'm already pretty awesome.

> I have skimmed the links you listed. Like I said, time poor.

You'll accuse me of being rude again, but if you can't read 3 pages of text
because of the lack of time, maybe spending that time throwing factually
and technically incorrect suggestions on the list shouldn't top of your
TODO list.

> I see no
> explanation of why rygel needs a random port or why it cannot supply
> that information to firewalld. The same goes for any others that have
> random ports.

Because that's the mechanism the kernel offers for applications when selecting a
port isn't important, the high port isn't defined by the IANA, and the specs
(DLNA/UPnP in this case) don't force particular ports to be opened.

Even if we chose static ports for those (or rather port ranges, because if you
have multiple users running, you'd need multiple ports), leaving only those ports
opened wouldn't stop other random applications from choosing those ports to
do something nefarious. You're just limiting the availability of ports without
increasing security.

More information about the devel mailing list