firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)

Reindl Harald h.reindl at thelounge.net
Wed Feb 26 18:32:09 UTC 2014 


Am 26.02.2014 18:39, schrieb Simo Sorce:
> Do we have applications that we do not trust and open unwanted ports?
> If we do not trust them why do we install them?

"we" as Fedora is not in the game to decide what a user
wants to be reachable because you do not know the exact
environment

> If we trust them why do we firewall them ?

because in doubt you *have* open ports and do not know
the network the enduser is connected to

> Considering that the default policy on Fedora is not not start daemon
> automatically I am trying to understand why having a firewall configured
> by default is a good idea.

to prevent what happend in the yum-upgrade to F19

* samba pulls cups-libs -> cups-libs pulls avahi-libs -> avahi-libs pulls avahi daemon
avahi daemon is enabled at install, it was not installed before the upgrade
voila you have a listening service pulled by careless packaging

> Note that I am not saying it is not, but it seem one of those Security
> Dogma that has gone on w/o much formalizing the actual reasons why it
> makes sense to have a local firewall installed.

nothing has gone, in the case above without iptables avahi would
have been accessable from the WAN on 4 machines, frankly you can
have installed samba but not enabled for a lot of reasons and
then you are at exactly the situation above

> Keep in mind that I make an absolute distinction between local firewall
> and perimeter firewall, the latter is about not trusting all machines in
> a network to be configured correctly or according to an organization
> policy which is a completely different use case from a local firewall

* there are also servers with public WAN connections
* security is *always* depth of defense, nothing ever will change that

in case of a sane network you have as much barriers as possible
beause every one of them could fail by mistake - if it was the
only barrier you have a problem, if you have depth of defense
you have a timewindow to realize a mistake on whatever layer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/server/attachments/20140226/6c186e48/attachment.sig>

More information about the server mailing list