Re: philosophy

[Christopher <ctubbsii-fedora@xxxxxxxxxx>]

On Wed, Mar 23, 2016 at 8:06 PM Rick Stevens <ricks@xxxxxxxxxxxxxx> wrote:

On 03/23/2016 04:31 PM, George N. White III wrote:
> On Wed, Mar 23, 2016 at 7:57 PM, François Patte
> <francois.patte@xxxxxxxxxxxxxxxxxxxx
> <mailto:francois.patte@xxxxxxxxxxxxxxxxxxxx>> wrote:

[snip]

This is a security issue. Automatically opening your firewall to permit
ipp and such could be inviting attacks from the outside world.
Obviously, if your machine is behind another firewall protecting you
from the big, bad Internet then yeah, there's really no problem with
opening up ipp and such on your _machine's_ firewall.

[snip]

I agree. This is a big security issue. I certainly wouldn't want any package to automatically open any ports when I install or start a service. I think this was a problem not too long ago with the situation where the default firewalld zone for the Workstation product had every port open... and there was quite the discussion about the pros and cons of that in terms of security and out-of-box experience. I lean towards the secure side.

However, I empathize with the desire to make it easier to install and configure network services without such surprises. Perhaps there's some better ways for installed services to notify users of their requirement or recommendation for a particular firewall configuration, which can be standardized and put to use for all such network services?

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org