mcatanzaro@xxxxxxxxx writes: > Well the thing is, blocknig ports tends to break applications that want > to use those ports. We're not going to do that, period. It also doesn't > really accomplish anything: either your app or service needs network > access and you have whitelisted it (in which case the firewall provides > no security), or it needs network access and you have not whitelisted > it (in which case your firewall breaks your app/service). In no case > does it increase your security without breaking your app, right? Unless > you have malware installed (in which case, you have bigger problems > than the firewall). Or unless you have a vulnerable network service > installed that you don't want (in which case, uninstall it). > > So if you want to change the firewall settings, you'd need to > completely rethink how the firewall works. And nobody seems interested > in doing that. We could e.g. have a list of apps that are allowed > network access, but then we'd need some form of attestation so apps > can't impersonate each other. So only sandboxed (flatpaked) apps could > use this hypothetical new firewall. And we surely don't want to have > yes/no permission prompts, so we can't really ask the user "do you want > your app to access the network?" (the user will almost always say > yes). For what it's worth, macOS started doing exactly that recently. I agree it seems useless, except for one thing. Sometimes, you realize that some app is opening a port when you don't expect it. > I'm not really sure what design would even work. > > Avoiding unnecessary network services makes more sense. > > On Mon, Aug 26, 2019 at 3:45 PM, Alexander Ploumistos > <alex.ploumistos@xxxxxxxxx> wrote: >> >> As a matter of fact, you did: >> <https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/thread/3LHDQD5HCZMPV6O4LZRSKTVEIKEFJIBY/#3LHDQD5HCZMPV6O4LZRSKTVEIKEFJIBY> >> <https://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-Products.html#idm225474210784> > > Thanks for dredging up these links! > > Michael > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx -- Cheers, Christophe de Dinechin (IRC c3d) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
