Re: "Workstation" Product defaults to wide-open firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 08.12.2014 um 10:48 schrieb Bastien Nocera:

I just happened to look at the firewalld default settings, and I was not
amused when I noticed this:
http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml

  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>

This "firewall" is a joke! ALL higher ports are wide open!

There had been a prior discussion on this list where they wanted to disable
the firewall entirely. We told them that that's a horrible idea (which it
is, of course!). But the result is that they implemented this "solution"
which is almost entirely as bad, and which additionally gives users a false
sense of security, because a "firewall" is "enabled" (for a very twisted
definition of "enabled").

IMHO, this is a major security issue that MUST be fixed. It also shows what
horribly bad an idea per-Product configuration is.


This was discussed, and implemented in the open


but *nobody* cared for why it is a bad idea
if something is discusssed in the open and IT security people like me and others explain repeated why it is a bad idea you can't skip the whole discussion and do want you want 


Yet another reason why you should NOT use "--product=workstation" to upgrade
your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the
"Workstation Product", or upgrading to it, will leave you with a totally
insecure system.


There are no services listening on upper ports enabled by default


that attitude is unacceptable

why do you then need it open?
because later a software is installed which may use it?
than "there are no..." is hypocritical and harmful
you can't secure a setup only for what is shipped as default and put your head in the sand knowing that there are tons of software ,istening on high ports in the repos and installing them *do not* mean "for the whole world"

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux