On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > Am 15.04.2014 16:28, schrieb Christian Schaller: > >> There was a long thread about this on the desktop mailing list, and I was >> not in the 'disable the firewall' camp in that discussion, but nobody in >> that thread or here have articulated how the firewall exactly enhance security >> in the situation where we at the same time need to allow each user to have any >> port they desire opened for traffic to make sure things like DLNA or Chromecast >> works. > > that is pretty easy - defaults have to be closed anything and the user > have to make a choice for, otherwise if there are cirtical security > updates after a release you have *exactly* the same as WinXP SP2 WinXP SP2 needed a firewall because MS didn't want to close ports 139 and 445 for real. So instead they hacked it up with a firewall. This meant that, if you had the firewall blocking those ports, you were okay, but if they were open (e.g. because you were at home), you were screwed. This is *not* a good thing. Can someone explain what threat is effectively mitigated by a firewall on a workstation machine? Here are some bad answers: - Being pwned via MS's notoriously insecure SMB stack? Not actually a problem for Fedora. - WebRTC, VOIP, etc. issues? These use NAT traversal techniques that are specifically designed to prevent your firewall from operating as intended. - DLNA / Chromecast / whatever: wouldn't it be a lot more sensible for these things to be off until specifically requested? Who actually uses a so-called "zone" UI correctly to configure them? How about having an API where things like DLNA can simply not run until you're connected to your home network? Also, having a firewall on exposes you to a huge attack surface in iptables, and it doesn't protect against attacks targeting the kernel's IP stack. I'm all for "secure by default", but I'm not at all convinced that current desktop firewalls add any real security. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
