Hello,
2014-04-16 14:28 GMT+02:00 Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>:
There still are all the security issues with outgoing communication; in particular, the browser does matter (much more than say portmap) and the firewall cannot protect it.
For a quick summary:
1) With a firewall enabled, network services don't work without manual
intervention.
To be perfectly clear, vast majority of network applications work perfectly fine. Network servers need manual intervention.
2) With firewalld active, any privileged application can open a port
in the firewall (and most will be privileged because they will be
packaged that way.)
No; most applications are not packaged in any way to get extra privilege to manage a firewall, and they shouldn't; applications poking holes in a firewall for themselves is pointless cargo-cult nonsense.
Some user accounts (members of wheel) are set up to be sufficiently privileged/root-equivalent so that they can open a port, but they really are root-equivalent so the specifics of what they can do to the firewall are not much relevant... at that point you really either trust all software you run, or not.
There could be applications specifically dexigned to open a port in the firewall even for unprivileged users (e.g. by having a separate privileged helper talk to firewalld), I don't think there actually are any.
3) With no firewall enabled and no network services started, there is
no security issue because there are no open ports.
There still are all the security issues with outgoing communication; in particular, the browser does matter (much more than say portmap) and the firewall cannot protect it.
4) With no firewall but active network services, you have open ports
just as you would in the firewalld or manual intervention firewall
case
No because 2) is false... or yes for the wheel-member users.
Mirek
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
