Am 28.07.24 um 13:20 schrieb Michael Catanzaro:
On Sun, Jul 28 2024 at 11:37:15 AM +02:00:00, Arthur Bols via devel
<devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
Aside that this does not contribute to the discussion at all, I believe
it is reasonable to assume that the default firewall rules are strict
enough to not open all ports above 1024... That being said, it's an
example, and those servers are listening on localhost.
This discussion comes up every few years. Suffice to say: a firewall
that blocks users from using software is a firewall that's not suitable
for Fedora Workstation. Unlike server users, desktop users don't know
what ports are and don't expect to have to modify firewall rules to run
a new service.
You say "unsafe" but it's only unsafe if you have software listening on
those ports. And if you have software listening on those ports, surely
you want it to work rather than be blocked? If you have software
listening that you *don't* want to work, then why do you have it
listening in the first place!
It's been about 10 years since we established this firewall
configuration, and I haven't seen much interest in developing a smarter
stricter firewall, so this is what we're left with.
Is the decision based on an explicit threat model? Considering that a
workstation is mainly used by an user, exactly those ports that can be
opened unintentionally (by mistake, trojaned) by a user are not
protected. A non-serious suggestion just to depict it;
allow all <1024 ports and deny all above ... would provide more "safety".
--
Leon
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
