Hello,
Just some clarifications so that we are all on the same page; those don't significantly affect the larger discussion though...
2014-04-15 17:40 GMT+02:00 Andrew Lutomirski <luto@xxxxxxx>:
Firewalld has a zone implementation that can be improved upon.
MirekCan someone explain what threat is effectively mitigated by a firewall
on a workstation machine? Here are some bad answers:
<snip>
- WebRTC, VOIP, etc. issues? These use NAT traversal techniques that
are specifically designed to prevent your firewall from operating as
intended.
That's imprecise; NAT traversal techniques are designed to allow a specific counterparty through the firewall, not everyone on the Internet like disabling the firewall would do.
- DLNA / Chromecast / whatever: wouldn't it be a lot more sensible
for these things to be off until specifically requested?
That would be about equivalent to controlling them only via a firewall.
Who actually
uses a so-called "zone" UI correctly to configure them?
"Who actually uses any other UI correctly to configure sharing zones?"—nobody because there apparently isn't any. Firewalld has a zone implementation that can be improved upon.
How about
having an API where things like DLNA can simply not run until you're
connected to your home network?
Firewalld has a zone implementation that can be improved upon.
Also, having a firewall on exposes you to a huge attack surface in
iptables, and it doesn't protect against attacks targeting the
kernel's IP stack.
Nothing will ever protect you against attacks targetting the kernel's IP sack, that's a strawman. And the entire premise of a firewall is that the attack surface of the firewall (iptables in this case) is smaller than the attack premise of applications behind; intuitively it's very likely to be true, and AFAICT it's also been true historically.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
