On 02/13/2015 11:25 AM, Frank Ch. Eigler wrote: > "Ryan S. Brown" <ryansb@xxxxxxxxxx> writes: > >> [...] In January, the Fedora rawhide package for mongo[2] was >> changed to listen on all interfaces by default [...] To help >> protect users, I think the default should be changed back to >> localhost only. [...] > > We have a slew of network-servers in the fedora distribution. > Apprx. none of them are supposed to be turned on just by virtue of rpm > installation (so, require an explicit systemctl enable), and apprx. > none of them get through the system-default firewalld setup. The > out-of-the-box risk is therefore nil. As far as the firewall setup: if they wouldn't get through the firewall, then there's already extra configuration for operators that want to make it available to everyone. Why not also have it listen by default on localhost as an additional safety measure. Especially since *that's how it is in all current releases*. There's no benefit to moving away from the (sane) default of localhost-only. > If you'd like to pursue a distro-wide change for this > interface-binding level of security, please consider pursuing it via a > Fedora Change type process rather than piecemeal package-by-package. I didn't consider this as a distro-wide change, I'll look at the existing policies and see if there are any that cover this. -- Ryan Brown / Software Engineer, Openstack / Red Hat, Inc. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
