On 12/08/2014 04:31 PM, Stephen Gallagher wrote:
On Mon, 2014-12-08 at 07:41 +0100, Kevin Kofler wrote:
Hi,
I just happened to look at the firewalld default settings, and I was not
amused when I noticed this:
http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml
<port protocol="udp" port="1025-65535"/>
<port protocol="tcp" port="1025-65535"/>
This "firewall" is a joke! ALL higher ports are wide open!
There had been a prior discussion on this list where they wanted to disable
the firewall entirely. We told them that that's a horrible idea (which it
is, of course!). But the result is that they implemented this "solution"
which is almost entirely as bad, and which additionally gives users a false
sense of security, because a "firewall" is "enabled" (for a very twisted
definition of "enabled").
IMHO, this is a major security issue that MUST be fixed. It also shows what
horribly bad an idea per-Product configuration is.
Yet another reason why you should NOT use "--product=workstation" to upgrade
your F20 to F21 (ALWAYS use "--product=nonproduct"). Installing the
"Workstation Product", or upgrading to it, will leave you with a totally
insecure system.
sudo firewall-cmd --set-default-zone=FedoraServer
That will limit it to SSH, DHCPv6 and cockpit
Or use default zone "Public", which swaps cockpit out and adds mDNS
Or if you're "Reindl Harald"-level paranoid (no offense intended, Harald
but you're the most paranoid sysadmin I know, even more than me):
sudo firewall-cmd --set-default-zone=block
It always amaze me why people that says it is easy to change de default,
were not happy with:
sudo firewall-cmd --set-default-zone=OpenZone
instead of forcing the less secure one to eveyone.
Adding to that, this decision bring me memories to the awful old case
when someone decided that the install anything from the repositories was
permitted to any user on the system by default, that was reverted with
an update because of the outrage
As someone else mentioned very deep in this thread, you can also do this
in a GUI-centric way inside the preferences for the individual network
connections in the Network Manager settings. It's under the "Identity"
grouping. Here you can set a different default zone for each interface.
(This can be done at the command-line also; the above commands just set
the default zone for all interfaces if not individually overridden)
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
