Re: What I HATE about F11

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lennart Poettering wrote:
On Sun, 14.06.09 18:34, Matthew Garrett (mjg@xxxxxxxxxx) wrote:

So, solving this is pretty easy, even for newbies. But I agree that the
error message will not help someone without advanced knowledge. Although
I think people running Samba generally will know where to look for the
problem.
I think this is actually a problem that needs solving. We have several network services that are either installed by default or might be expected to be part of a standard setup, but which don't work because of the default firewall rules. The Anaconda people have (sensibly, IMHO) refused to simply add further exceptions to the firewall policy.

So, what should happen here? Should we leave the firewall enabled in these cases* by default and require admins to open them? If so, is there any way that we can make this easier in some Packagekit-oriented manner? If not, how should we define that packages indicate that they need ports opened? Should this be handled at install time or run time?

Gah. Allowing packages to pierce the firewall just makes the firewall
redundant.

I still think that the current firewall situation on Fedora is pretty
much broken. It's a bit like SELinux: it's one of the first features
most people disable.

SELinux and the firewall configuration are trying to make the system secure before something happens. If your system is compromised, then it is far too late to react. If you do not care about security, then disable it and have fun with the results.

I wonder why other systems are getting more restrictive and secure over time and for Linux people request the opposite direction.

Fedora is the only big distro that enables a firewall by default and
thus creates a lot of trouble for many users. I think I mentioned that
before, and I can only repeat it here: we should not ship a firewall
enabled by default, like we currently do. If an application cannot be
trusted then it should not be allowed to listen on a port by default
in the first place. A firewall is an extra layer of security that
simply hides the actual problem.

How do you want to get to "it should not be allowed to listen on a port by default"? Maybe with SELinux?

Please remember that there are still services like for example RPC that are using random ports which might be one of those that are open.

Now, it's my impression that some people who control the packages in
question and believe in all this security theater more than I do, seem
to be unwilling to loosen the default firewall. So as a bit of a
compromise here's what I suggest:

I do not think that security is a theater. If the system you are using lacks security and someone could copy and/or remove your private or work data, then you might have big problems.

Add a very simple per-interface firewall profile system to
NetworkManager. Something that is easily reachable from the NM
applet. Something with just two simple profiles by default: one that
allows everything for use in trusted networks, and one that just
allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
APs). Admins could then add more profiles if they feel the need for
it. And one could bind those profiles to specific networks, so that
people would just have to configure them once. Of course, as
mentioned, these firewall profiles need to be per-interface so that a
vpn interface can be trusted, while the underlying WLAN iface doesn't
have to be trusted.

If there would be a mechanism to define the type of an internet connection or a network segment, then it would surely be possible to make this work even with system-config-firewall. But at the moment there is no such mechanism.

Here is the latest request to add a mechanism like this:
https://bugzilla.redhat.com/show_bug.cgi?id=472784

Lennart


Thomas

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux