On Tuesday, August 27, 2019 5:05:57 PM MST Chris Murphy wrote: > On Tue, Aug 27, 2019 at 5:24 PM John Harris <johnmh@xxxxxxxxxxxxx> wrote: > > > > > > > On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote: > > > > > > Windows is enable by default with two "zones" or "policies" (I can't > > > even tell from their own UI what to call this), one for private > > > networks, and another for guest/public networks. > > > > > > > > I don't have a mac, so I can't confirm this, but Apple suggests that > > there's nothing bound to listen by default. > > > There are no services enabled by default either. No ssh, no file > sharing, no VNC, no printer sharing, etc. macOS does have Bonjour > (mDNS) enabled by default, and while it's not self announcing, it is > listening for other device/services that are. > > That's similar to Workstation. > > > > If that's the case, and I imagine it's > > difficult to run real software on Mac which might bind stuff (because of > > those "app" things they've got, I presume), that might be a legitimate > > thing for Macs. We're not Apple, and we're not rolling out MacOS. I > > personally believe that's a horrible idea for Mac systems as well, even > > if they don't bind anything by default, which we do. > > > Difficult to run real software ... I don't understand what that means > or how it manifests. I run all kinds of real software on macOS and it > works fine. > > > > This sounds like a misunderstanding as to what firewalls, and the various > > types of firewalls, are. By default, Fedora uses firewalld, which is not > > an application firewall, which is what you've described. "I dunno if > > this network is trustworthy! Do you know if it's trustworthy?!" is a > > legitimate decision for the end user or sysadmin to make. It is not "a > > buck passing interface", the Fedora install has no possible way to know. > > The end user or sysadmin would. > > > That actually isn't clear at all. And I am the end user and sysadmin. > I'm at home, I have my own AP, but none of the equipment is under my > direct control, it's centrally managed by a company I don't even pay. > So, is it trustworthy? Maybe. Maybe not. I have no practical way of > knowing without digging into Fedora Security spin and learning a bunch > of things I don't presently know - which for sure sounds really > fascinating, and I like that this spin exists, but there are only so > many hours in the day! Workstation ships with sshd enabled by default, unless something has changed. Regardless, on Workstation, user programs can certainly easily bind ports, which, with the GNOME spin's firewall configuration, are open to the world at this point. What does the Fedora Security lab have to do with anything? Are you interested in pentesting? -- John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> Splentity https://splentity.com/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
