Re: F21 System Wide Change: Workstation: Disable firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/15/2014 04:28 PM, Christian Schaller wrote:


----- Original Message -----

From: "Reindl Harald" <h.reindl@xxxxxxxxxxxxx>
To: devel@xxxxxxxxxxxxxxxxxxxxxxx
Sent: Tuesday, April 15, 2014 11:40:20 AM
Subject: Re: F21 System Wide Change: Workstation: Disable firewall


Am 15.04.2014 11:32, schrieb drago01:

On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx>
wrote:



allow any random application to open a unprivlieged
port which is reachable from outside is dangerous


We already allow that and have for a long while. Any application bothering to support the firewalld dbus interface can open any port
they wish to.
Are you running your desktop as root or all your applications are authenticated? - I hope not. 

Only authenticated applications and services can modify the firewall.


There was a long thread about this on the desktop mailing list, and I was not in the 'disable the firewall' camp in that discussion,
but nobody in that thread or here have articulated how the firewall exactly enhance security in the situation where we at the
same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works.
You can simply use different zones for the different connections you are using. Most likely you do not want to enable DLNA and Chromecast in a public internet cafe, but at home. So simple marking your home Wifi using the trusted zone is the trick to allow everything within this Wifi only. It is also possible to change the zone that is used for a connection.
You can bind connections or interfaces to zones in ifcfg files and in NetworkManager - probably not in the gnome 3 UI, but in all other UI versions ... 


The thread discussing this ended up with mostly being a discussion if the firewall would be a useful way to help users from accidentally
oversharing on a public network. Which is important and something we want to work on, but a lot less so than security issues.

Christian



Thomas
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux