Re: FedoraWorkstation default firewall rules unsafe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/28/24 3:49 AM, Arthur Bols via devel wrote:
On 28/07/2024 11:33, Adam Williamson wrote:
On Sun, 2024-07-28 at 10:25 +0200, Arthur Bols via devel wrote:
Hi all,

Yesterday, while assisting a user with connecting a printer, I noticed
that the default firewall zone on Fedora Workstation is set to
"FedoraWorkstation". This zone has ports 1025-65535 open by default
[0].  Is there a historical reason for this, just an oversight, or am I
missing something? This configuration doesn't seem ideal for typical
users and developers. For example, I often run dev servers that I assume
are secure due to the default firewall settings, but it appears that
even the Home zone is more restrictive.

I'm considering to open a change request to remove these firewall rules
for better security but want to ensure I'm not overlooking anything.
It's intentional. It's been that way since the first release of
Workstation.
Sure. But why do those ports need to be open by default at all? What is the benefit of adding those extra 2 lines? Does it enhance user friendliness? I doubt it, as users will still need to open ports for e.g. slp or mdsn. What it does is put users at risk.

MDNS works by default.  Users don't need to open the port.

I wouldn't have this conversation if we had no firewall rules like arch or Debian, but we do. We even go as far as install and enable Firewalld by default. As far as I know Fedora is positioning itself as a beginner-friendly Linux distro, thus we should strive to protect users. Enabling a firewall that blocks traffic up to port 1024 is strange and confusing, especially for security minded beginners.

Fedora enables firewalld by default as well.

--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux