On Thursday, August 29, 2019 8:34:09 AM MST Christophe de Dinechin wrote: > mcatanzaro@xxxxxxxxx writes: > > > > Well the thing is, blocknig ports tends to break applications that want > > to use those ports. We're not going to do that, period. It also doesn't > > really accomplish anything: either your app or service needs network > > access and you have whitelisted it (in which case the firewall provides > > no security), or it needs network access and you have not whitelisted > > it (in which case your firewall breaks your app/service). In no case > > does it increase your security without breaking your app, right? Unless > > you have malware installed (in which case, you have bigger problems > > than the firewall). Or unless you have a vulnerable network service > > installed that you don't want (in which case, uninstall it). > > > > > > > > So if you want to change the firewall settings, you'd need to > > completely rethink how the firewall works. And nobody seems interested > > in doing that. We could e.g. have a list of apps that are allowed > > network access, but then we'd need some form of attestation so apps > > can't impersonate each other. So only sandboxed (flatpaked) apps could > > use this hypothetical new firewall. And we surely don't want to have > > yes/no permission prompts, so we can't really ask the user "do you want > > your app to access the network?" (the user will almost always say > > yes). > > > For what it's worth, macOS started doing exactly that recently. > I agree it seems useless, except for one thing. Sometimes, you realize > that some app is opening a port when you don't expect it. > > > > I'm not really sure what design would even work. > > > > > > > > Avoiding unnecessary network services makes more sense. > > > > > > > > On Mon, Aug 26, 2019 at 3:45 PM, Alexander Ploumistos > > <alex.ploumistos@xxxxxxxxx> wrote: > > > >> > >> > >> As a matter of fact, you did: > >> <https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject. > >> org/thread/3LHDQD5HCZMPV6O4LZRSKTVEIKEFJIBY/#3LHDQD5HCZMPV6O4LZRSKTVEIKEF > >> JIBY> > >> <https://docs.fedoraproject.org/en-US/Fedora/21/html/Release_Notes/sect-> >> Products.html#idm225474210784>> > > > > > > Thanks for dredging up these links! > > > > > > > > Michael > > > > > > > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > > Archives: > > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.o > > rg > > > -- > Cheers, > Christophe de Dinechin (IRC c3d) > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List > Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Thing is, binding a port and expecting it to be open to every network interface you've got are two very different things. -- John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> Splentity https://splentity.com/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
