Am 09.12.2014 um 10:08 schrieb Nikos Mavrogiannopoulos:
On Tue, 2014-12-09 at 17:29 +1030, William B wrote:I just happened to look at the firewalld default settings, and I was not amused when I noticed this: http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml<port protocol="udp" port="1025-65535"/> <port protocol="tcp" port="1025-65535"/>This "firewall" is a joke! ALL higher ports are wide open!I want to point out that for many home users, going into the future this is worse than it seems. Many of us are just thinking about the local network. Firewalld implements these rules not just for ipv4, but ipv6 too. If you have a low quality home router, that just lets ipv6 traffic in, you aren't just exposed to the whole network, but the whole internet. While ipv6 relies somewhat on well configured router firewalls, we cannot guarantee this.That is compromise. Of course there are untrustworthy LANs. However we shouldn't cripple functionality for users on their trusted lan because there may be few users in a LAN they don't trust.
you heard about notebooks, WLAN and public access points?
If you are in such a lan, then I'd expect to switch your firewall's zone. If the installer could do that automatically, it would be even better
you have nothing to expect from a ordinary user, otherwise the whole flaw would not exist for handholding reasons
the user has to expect a by default secure configuration and if something can be expected at all than that people knowing their LAN sitch their firewall zone to a unsecure present and *not* the other direction
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
