On Mon, 08 Dec 2014 07:41:52 +0100 Kevin Kofler <kevin.kofler@xxxxxxxxx> wrote: > Hi, > > I just happened to look at the firewalld default settings, and I was > not amused when I noticed this: > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml > > <port protocol="udp" port="1025-65535"/> > > <port protocol="tcp" port="1025-65535"/> > This "firewall" is a joke! ALL higher ports are wide open! > > There had been a prior discussion on this list where they wanted to > disable the firewall entirely. We told them that that's a horrible > idea (which it is, of course!). But the result is that they > implemented this "solution" which is almost entirely as bad, and > which additionally gives users a false sense of security, because a > "firewall" is "enabled" (for a very twisted definition of "enabled"). > > IMHO, this is a major security issue that MUST be fixed. It also > shows what horribly bad an idea per-Product configuration is. > > Yet another reason why you should NOT use "--product=workstation" to > upgrade your F20 to F21 (ALWAYS use "--product=nonproduct"). > Installing the "Workstation Product", or upgrading to it, will leave > you with a totally insecure system. FWIW, this is mentioned in the release notes: http://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#Products-Workstation 2.3.3. Developer oriented firewall Developers often run test servers that run on high numbered ports, and interconnectivity with many modern consumer devices also requires these ports. The firewall in Fedora Workstation, firewalld, is configured to allow these things. Ports numbered under 1024, with the exceptions of sshd and clients for samba and DHCPv6, are blocked to prevent access to system services. Ports above 1024, used for user-initiated applications, are open by default. Paul. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
