----- Original Message ----- > Bastien Nocera wrote: > > Security is about compromises. The net result of the old firewall settings > > was people disabling the firewall. > > And the net result of the new firewall settings is you disabling the > firewall for them, It's not disabled. > and also for all those people out there (like me) who > were NOT disabling the firewall. (Thankfully, I'm not using the GNOME > Workstation, nor firewalld (but the old iptables.service), so I won't get > this "improvement".) So why are you complaining exactly? > > The new firewall settings were vouched for by the firewalld folks, and > > provide good defaults for most users. > > The new firewall settings essentially amount to disabling the firewall. It doesn't. > The only ports they protect are those controlled by root anyway, and there > is nothing listening on those ports by default (except SSH, which your > firewall rules also let through, but that was already the case before). There's a few more items that will be opened I'm afraid. And one of the reasons why we block root ports is to avoid regressions like rpcbind listening by default, which was due to a bug in packaging. So what you call "no firewall" would actually have prevented the potential security hole. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
