Lennart Poettering wrote:
On Mon, 15.06.09 12:41, Thomas Woerner (twoerner@xxxxxxxxxx) wrote:
So, what should happen here? Should we leave the firewall enabled in
these cases* by default and require admins to open them? If so, is
there any way that we can make this easier in some
Packagekit-oriented manner? If not, how should we define that
packages indicate that they need ports opened? Should this be handled
at install time or run time?
Gah. Allowing packages to pierce the firewall just makes the firewall
redundant.
I still think that the current firewall situation on Fedora is pretty
much broken. It's a bit like SELinux: it's one of the first features
most people disable.
SELinux and the firewall configuration are trying to make the system
secure before something happens. If your system is compromised, then it
is far too late to react. If you do not care about security, then
disable it and have fun with the results.
You know, there is one big difference between SELinux and the default
Firewall. The former doesn't inhibit the use of an application (at
least if the policy is written correctly) because it whitelists every
operation an application should be able to use but nothing else. OTOH
the default firewall actively breaks a lot of applications we ship by
default. It most of the time it even does that silently, without
reporting EPERM or suchlike back to the application.
Really, if SELinux is set up properly nobody should notice it. However
the default firewall breaks a lot of services, and is hence very much
noticeable.
I wonder why other systems are getting more restrictive and secure over
time and for Linux people request the opposite direction.
Oh my. I wonder why other systems work by default and Fedora doesn't.
Fedora is the only big distro that enables a firewall by default and
thus creates a lot of trouble for many users. I think I mentioned that
before, and I can only repeat it here: we should not ship a firewall
enabled by default, like we currently do. If an application cannot be
trusted then it should not be allowed to listen on a port by default
in the first place. A firewall is an extra layer of security that
simply hides the actual problem.
How do you want to get to "it should not be allowed to listen on a port
by default"? Maybe with SELinux?
Yes, SELinux is fine for that. Or simply by not shipping the app at
all if it's shit.
According to your own statement SELinux is disabled for most users.
Therefore this is not possible.
An other thing: How do you limit access to a network segment with
SELinux? For this you need to have a firewall. Please remember that you
might not want to share your database for use in your home office
intranet with the world if you are connected to a internet wifi access
point while waiting for a flight. Here it should be possible to specify
the type of the connection and mark the wifi connection as non trusted.
Changing the configuration of the service itself might lead to a
configuration chaos, because you have to be able to configure every
service properly according to your black and white lists.
Also do not forget to think about security holes in applications and
services. They do exist. Saying that you do not need to have the system
as secure as possible, because there is no risk is like ignoring
reality. If you want to drop all packages, which have or had at minimum
one security problem, then you will end up without any applications and
packages.
Lennart
Thomas
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
