Am 28.04.2014 18:52, schrieb Miloslav Trmač: > 2014-04-28 12:42 GMT+02:00 David Woodhouse <dwmw2@xxxxxxxxxxxxx <mailto:dwmw2@xxxxxxxxxxxxx>>: > > On Mon, 2014-04-21 at 09:42 +0200, Reindl Harald wrote: > > Am 21.04.2014 03:39, schrieb Lars Seipel: > > > Nicely aligning with the current firewall thread I noticed that one of > > > my machines was running the exim MTA for the last few days, dutifully > > > listening on all interfaces > > > > and now it is *proven for sure* that disable the firewall > > by default is the most dumb thing a distribution can do > > This doesn't make much sense to me. > > Take a look at the wording of the proposed change: "The current level of > integration into the desktop and applications does not justify enabling > the firewalld service by default." > > Now imagine the situation if we take the opposite approach — we *fix* > the integration, and leave it enabled by default. > > Fixing the integration means that installing packages which need to > listen on a network socket should Just Work™. That means they'll talk to > firewalld somehow, to enable their ports. > > No no no no no. If you want a firewall "integrated" /that/ way, you are really > better of uninstalling it or opening it up; it serves no purpose. no, even if that way is completly wrong it's better than no firewall as i have explained multiple times there may run software not from the Fedora repos which opens ports unintentionally from the users point of view and especially a user with no network expierience will not realize that - and yes that software matters because we are talking about a *operating system* the next thing is when it comes to malware opening ports there are two types of malware: * privilege escalation (you have lost) * crap try to open a unprivileged port with user permissions the second one has to be stopped and please don't come with "that could be stopped with SElinux" -> layered security you need to tealize security as a big picture with as much defense layers as possible and whoever thinks "no, this and that leayer is not needed because we have A, B, C" has no clue about security at all and nothing learned in the last few years from things which happened in the wild
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
