Am 15.04.2014 17:40, schrieb Andrew Lutomirski: > On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >> that is pretty easy - defaults have to be closed anything and the user >> have to make a choice for, otherwise if there are cirtical security >> updates after a release you have *exactly* the same as WinXP SP2 > > WinXP SP2 needed a firewall because MS didn't want to close ports 139 > and 445 for real. because it is used for filesharing - period > So instead they hacked it up with a firewall. This > meant that, if you had the firewall blocking those ports, you were > okay, but if they were open (e.g. because you were at home), you were > screwed. > > This is *not* a good thing. and the same happens with the Fedora Workstation argumentation for whatever service > Can someone explain what threat is effectively mitigated by a firewall > on a workstation machine? Here are some bad answers: > > - Being pwned via MS's notoriously insecure SMB stack? Not actually > a problem for Fedora. stop that argumentation you *never* can prove that for a predictable future you *never* can prove that now why? * because you don't know what the user is running * you don't know about security bugs now or in the furture > - DLNA / Chromecast / whatever: wouldn't it be a lot more sensible > for these things to be off until specifically requested? yes but you can't relie on that if we talk about security > How about having an API where things like DLNA can simply > not run until you're connected to your home network? you can prove that this will always happen the right way? you can implement software *for sure* knowing the fact what my home network is? if you can do that you get rich! > Also, having a firewall on exposes you to a huge attack surface in > iptables, and it doesn't protect against attacks targeting the > kernel's IP stack fine - and because you can't reach 100% security you disable an important security layer? well, than let us remove any security barrier and give up because you will never reach the 100% - not now, not tomorrow and not in 100 years > I'm all for "secure by default", but I'm not at all convinced that > current desktop firewalls add any real security there is no "real security" on that planet everybody working in the security business will explain that to you you can refuse and ignore the facts, but they are still facts
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
