Am 28.04.2014 19:04, schrieb Miloslav Trmač: > 2014-04-28 18:59 GMT+02:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>>: > > Am 28.04.2014 18:52, schrieb Miloslav Trmač: > > No no no no no. If you want a firewall "integrated" /that/ way, you are really > > better of uninstalling it or opening it up; it serves no purpose. > > no, even if that way is completly wrong it's better than no firewall > as i have explained multiple times there may run software not from > the Fedora repos which opens ports unintentionally from the users > point of view and especially a user with no network expierience > will not realize that - and yes that software matters because > we are talking about a *operating system* > > Well if the users' expectations were that the firewall doesn't "interfere" with Fedora applications, why would they > expect it to "interfere" with non-Fedora applications? do i really need to explain that? you can make signed fedora packages trusted and allow them at install or first start to interact with firewalld you can't do that for http://www.zend.com/de/products/studio/downloads you can't also explain zend they should not open ports with a IDE you can't do the same for any other software manufacturer you can#t do that even Fedora, see the thread-start for the sake of god security don't work the way what people should do security works the way "what could people do wrong" > the next thing is when it comes to malware opening ports > there are two types of malware: > > * privilege escalation (you have lost) > * crap try to open a unprivileged port with user permissions > > The second case is a subset of the first one anyway :) no - privilege escalation is meant as get root permissions > And doesn't every malware know to make an _outgoing_ connection to an IRC server nowadays? > Stopping malware by blocking incoming connections is fairly illusory IMHO i find it pervert that such basics need to be discussed * you can't reahc 100% security, never, in no way * you can only try to make it as tightas possible * each of your protections will stop some bad cases * enough of them with some luck the one user A, B, C would have hitted before updates do you *really* not want to understand what people explaining? http://www.zend.com/de/products/studio/downloads opens ports to talk inside the LAN and prohibit starting the product on two machines with the same licencse key *YOU DO NOT WANT THAT PORTS OPEN ON THE INTERNET BECAUSE WRONG OS-DECISIONS* and that is besides VMware the only software not coming via yum in my case 1 out of 2 commercial products should failry explain why nobody right in his brain designs in 2014 a operating system with no packet filter at all
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
