Am 28.04.2014 12:42, schrieb David Woodhouse: > On Mon, 2014-04-21 at 09:42 +0200, Reindl Harald wrote: >> >> Am 21.04.2014 03:39, schrieb Lars Seipel: >>> Nicely aligning with the current firewall thread I noticed that one of >>> my machines was running the exim MTA for the last few days, dutifully >>> listening on all interfaces >> >> and now it is *proven for sure* that disable the firewall >> by default is the most dumb thing a distribution can do > > This doesn't make much sense to me what exactly? that open port 25 by a package error on the WAN is critical? that open whatever port by a package error on the WAN is critical? > Take a look at the wording of the proposed change: "The current level of > integration into the desktop and applications does not justify enabling > the firewalld service by default." i know that wording > Now imagine the situation if we take the opposite approach — we *fix* > the integration, and leave it enabled by default. yes > Fixing the integration means that installing packages which need to > listen on a network socket should Just Work™. That means they'll talk to > firewalld somehow, to enable their ports. yes but not *all ports* and not uncomprehensive at all you really don't want to open SMB on the WAN because you want to share a folder > We need that, because from a usability point of view it just isn't > acceptable to have things which *appear* to work when you test them from > localhost, but silently fail when you connect from the outside. That's a > really insidious failure mode which has bitten me a number of times when > I've forgotten to turn off the misguided firewall on a newly-installed > machine. the user needs a way to decide where the port should be open * local network * wan * only localhost > So when it's all finished and working properly, the firewall doesn't > really buy you anything in this case. A package which is set up to > listen by default will still do that, and it'll still be a bug in the > package in question. *no not on the WAN* what you really refuse to understand is the implication of disable the firewall at all - frankly in the early KDE4 days there where ports from KDE applications listening on 0.0.0.0 which where for sure never intended to be reachable from the internet - yes that was all bugs but realize that we can't pretend to live in a bugfree world that would mean these ports below would be open to the internet - that's just ZendStudio (not a fedora package) where due start it tries to check if there is already a instance running on another computer with the same serial, not you nor i have to justify that, that's real life as it is if you don't care about such cases stop to pretend you are building an operating system - on an operating system there is a world outside the distributions repos [root@rh:~]$ netstat -l | grep java tcp 0 0 0.0.0.0:10137 0.0.0.0:* LISTEN 15717/java tcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN 15717/java tcp 0 0 0.0.0.0:20080 0.0.0.0:* LISTEN 15717/java udp 0 0 0.0.0.0:4321 0.0.0.0:* 15717/java > You can make sure that only the MTA is listening on port > 25 and not anything else and even if - have a MTA reachable on the WAN after installing it before you have configured it for proudction use if you even intend to do that is the most possible dumb thing that said from a professional mailserver admin!
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
