On Mon, Aug 26, 2019 at 9:08 AM <mcatanzaro@xxxxxxxxx> wrote: > > > Well the thing is, blocknig ports tends to break applications that want to use those ports. We're not going to do that, period. It also doesn't really accomplish anything: either your app or service needs network access and you have whitelisted it (in which case the firewall provides no security), or it needs network access and you have not whitelisted it (in which case your firewall breaks your app/service). In no case does it increase your security without breaking your app, right? Unless you have malware installed (in which case, you have bigger problems than the firewall). Or unless you have a vulnerable network service installed that you don't want (in which case, uninstall it). You're creating a false dichotomy. There are plenty of legitimate user apps that do stupid things that you should restrict with a firewall, and there's plenty of malware that needs a C&C server via network access to control it, and whose abilities are limited by firewalls. At the very least, the user should *know* that an app requires network to function... this shouldn't be a surprise to users. It should be something the UI experience makes them aware of. Microsoft learned this from commercial firewall applications like ZoneAlarm back when they finally made the Windows XP firewall enabled in SP2 (both ZA and XPSP2 alerted users about network access). This is not something that a Linux distro should be learning 15 later... we should be leading the charge on secure-by-default... not trailing 15-year old Windows systems. As a user, I *WANT* my applications to break if they are internet-exposed and I didn't grant them explicit permission to be exposed. That's what security does. This breakage you're describing is an essential part of educating users and forcing their participation in security (which is *everyone's* responsibility). If your concern is that users won't be able to figure out how to make the choice to grant access, then you've identified a UI problem... not a problem with the security defaults. > > So if you want to change the firewall settings, you'd need to completely rethink how the firewall works. And nobody seems interested in doing that. We could e.g. have a list of apps th at are allowed network access, but then we'd need some form of attestation so apps can't impersonate each other. So only sandboxed (flatpaked) apps could use this hypothetical new firewall. And we surely don't want to have yes/no permission prompts, so we can't really ask the user "do you want your app to access the network?" (the user will almost always say yes). I'm not really sure what design would even work. You're effectively arguing: if you can't have perfect security, don't bother. Security isn't about making a system impenetrable... it's about putting up barriers... making things difficult for the attacker. It's an arms race and it always will be. Regarding "yes/no" permission prompts.... yes, that'd be great.... but maybe make them type the name of the application, instead of brainlessly clicking "Yes". There are things that can be done. You're arguing to do nothing. You're arguing for not bothering with security. If you are right that it doesn't matter, then why does Fedora Server have different defaults? Clearly somebody thinks security is important in the Server team... their reasoning applies just as well to the Workstation product. > > Avoiding unnecessary network services makes more sense. > It's not mutually exclusive. You can do both. ... yes, apps like VNC and Rhythmbox (and any other example of an app listening on a port) can be better... but the point is that the OS is a bottleneck for apps which make bad decisions (or fail while trying to make good decisions)... and the OS shouldn't push security down into every single app... it should work for the user.... to protect them against poorly-behaved apps, malware, and sometimes even protect the user from themselves (such as when OS makes choices to disable root user by default). Fixing the firewall settings in Fedora Workstation is the first thing I change after a new install. The current default is bad... argued from bad logic that weakens the security of the OS. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
