Re: FedoraWorkstation default firewall rules unsafe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am 28.07.24 um 16:36 schrieb Neal Gompa:

On Sun, Jul 28, 2024 at 8:40 AM Chuck Anderson <cra@xxxxxx> wrote:


On Sun, Jul 28, 2024 at 12:49:51PM GMT, Arthur Bols via devel wrote:

Sure. But why do those ports need to be open by default at all? What is
the benefit of adding those extra 2 lines? Does it enhance user
friendliness? I doubt it, as users will still need to open ports for
e.g. slp or mdsn. What it does is put users at risk.


dhcpv6-client, samba-client, and ssh are opened by default.  Perhaps
mdns should be added to this list.


I wouldn't have this conversation if we had no firewall rules like arch
or Debian, but we do. We even go as far as install and enable Firewalld
by default. As far as I know Fedora is positioning itself as a
beginner-friendly Linux distro, thus we should strive to protect users.
Enabling a firewall that blocks traffic up to port 1024 is strange and
confusing, especially for security minded beginners.


Historically, "privileged services" run on ports 0-1024.  The idea was
to protect those privileged services, while keeping 1025-65535 open
for developers to develop applications using those ports.


Unfortunately nowadays privileged production-grade services run by
default on ports above 1024, so the distinction is somewhat
meaningless. :(


The entire distinction between ]0;1024] and [1025;∞[ is entirely founded
in historical reasons, not ones valid for today.

To open a port listening in the ]0;1024] range these days requires the
CAP_NET_BIND_SERVICE capability (normal users don't have it by default).
So it doesn't really do much since it pretty much means "become root" or
to gain it otherwise (like with a RCE vulnerability in some process with
that capability).



Regards

Kilian Hanich
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux