Re: "Workstation" Product defaults to wide-open firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 08.12.2014 um 13:56 schrieb Bastien Nocera:

Am 08.12.2014 um 13:39 schrieb Bastien Nocera:

Well, it's in your hands now, and every application developer's hands,
if RH is going to be turning the default firewall off.


Not Red Hat, Fedora. And it's not off by default either. It's disabled
for user applications, not root ones


and that is a problem

"user applications" can be any bad code executed by the user start
listening on the WAN - guess what is more likely

* get a rootkit opening privileged ports
* execute code by a careless user

mircosoft has learned their lessons after WinXP SP2 and Fedora goes the
opposite direction which is very sad


Rootkit won't require opened *server* ports. It will contact a command server
through a client port, which requires no special privileges
opening a webserver for malware code for the next spam wave would be one example, but it don't matter, if you are there the machine is owned anyways and the firewall disabled too 


If you blocked the firewall for user applications, you just made
the system a pain to use for no security benefits
you just do now know if it is a *intentet* user application acting as server until you ask the user - you don't know *anything* until you ask the user and be sure and you don't get the point 

* even if the users intention is to have that application inside the
  LAN acting as server/P2P that does *not* mean automatically it
  should be open on the WAN, frankly in case of video-streaming
  the user may end in legal trouble as exmaple

* any application reachable from the WAN is dangerous
  just because *any* bug in that application becomes a *remote exploit*
you are just giving up in security because it's not easy enough to maintain - make some more steps in that direction and a from scratch insteall Windows will be more secure than a Linux system and in fact that already happened with that high-ports-open defaults

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux