On Tue, 2014-12-09 at 08:23 -0500, Bastien Nocera wrote: > > ----- Original Message ----- > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Tue, 09 Dec 2014 10:08:06 +0100 > > Nikos Mavrogiannopoulos <nmav@xxxxxxxxxx> wrote: > > > > > On Tue, 2014-12-09 at 17:29 +1030, William B wrote: > > > > > > I just happened to look at the firewalld default settings, and I > > > > > > was not amused when I noticed this: > > > > > > http://pkgs.fedoraproject.org/cgit/firewalld.git/tree/FedoraWorkstation.xml > > > > > > > <port protocol="udp" port="1025-65535"/> > > > > > > > <port protocol="tcp" port="1025-65535"/> > > > > > > This "firewall" is a joke! ALL higher ports are wide open! > > > > > > > > I want to point out that for many home users, going into the future > > > > this is worse than it seems. Many of us are just thinking about the > > > > local network. Firewalld implements these rules not just for ipv4, > > > > but ipv6 too. If you have a low quality home router, that just lets > > > > ipv6 traffic in, you aren't just exposed to the whole network, but > > > > the whole internet. While ipv6 relies somewhat on well configured > > > > router firewalls, we cannot guarantee this. > > > > > > That is compromise. Of course there are untrustworthy LANs. However we > > > shouldn't cripple functionality for users on their trusted lan because > > > there may be few users in a LAN they don't trust. If you are in such a > > > lan, then I'd expect to switch your firewall's zone. If the installer > > > could do that automatically, it would be even better. > > > > > > > Can you personally, with 100% confidence tell me you completely understand > > the inner workings and firewall of your home? Your work? Have you pen tested > > them? Are you sure that they are open in some way you don't expect? If you > > answer no to any of these, you should probably reconsider how open your > > systems firewall is. > > > > I think that sacrificing security for convinence is not an option. Sometimes > > security can be hard, and the convinence look nice, but I want to strongly > > reiterate that the solution is not to open all ports and fool our users, but > > to create a secure by default os, that gives users control of that. If that > > means we need to face the hard truths and write some code to make a better > > firewalld ui, then so be it. > > To do that, you would need to understand that security isn't a black and white > thing, it's different shades of gray. You also didn't consider privacy into the > mix, which is related to security, but different from it. > > If by opening up some ports that would have hampered the user, rather than protect > them[1], we avoid the users disabling the firewall, and exposing security critical > services (such as exposing rpcbind, or ntpd, or any other root service), then it's > a win for me. > > [1]: I haven't seen anything but arm-flailing on that issue. If somebody wants to > go into details about what a server running inside the user's session would be > able to do that a client wouldn't be able to, feel free. Just to answer that, you're assuming that the only risk is to the local machine. A service running in a local user session can be opening a port for a command-and-control server somewhere out on the internet to use the machine as a bot-net. That's likely not going to have much of an effect on your local machine (besides increasing load), but it *is* a security concern.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
