Re: F21 System Wide Change: Workstation: Disable firewall

Tue, 15 Apr 2014 08:24:12 -0700 

On 04/15/2014 04:28 PM, Christian Schaller wrote:


----- Original Message -----

From: "Reindl Harald" <h.rei...@thelounge.net>
To: devel@lists.fedoraproject.org
Sent: Tuesday, April 15, 2014 11:40:20 AM
Subject: Re: F21 System Wide Change: Workstation: Disable firewall


Am 15.04.2014 11:32, schrieb drago01:

On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald <h.rei...@thelounge.net>
wrote:



allow any random application to open a unprivlieged
port which is reachable from outside is dangerous


We already allow that and have for a long while. Any application bothering to 
support the firewalld dbus interface can open any port
they wish to.


Are you running your desktop as root or all your applications are 
authenticated? - I hope not.


Only authenticated applications and services can modify the firewall.


There was a long thread about this on the desktop mailing list, and I was not 
in the 'disable the firewall' camp in that discussion,
but nobody in that thread or here have articulated how the firewall exactly 
enhance security in the situation where we at the
same time need to allow each user to have any port they desire opened for 
traffic to make sure things like DLNA or Chromecast works.


You can simply use different zones for the different connections you are 
using. Most likely you do not want to enable DLNA and Chromecast in a 
public internet cafe, but at home. So simple marking your home Wifi 
using the trusted zone is the trick to allow everything within this Wifi 
only. It is also possible to change the zone that is used for a connection.



You can bind connections or interfaces to zones in ifcfg files and in 
NetworkManager - probably not in the gnome 3 UI, but in all other UI 
versions ...



The thread discussing this ended up with mostly being a discussion if the 
firewall would be a useful way to help users from accidentally
oversharing on a public network. Which is important and something we want to 
work on, but a lot less so than security issues.

Christian



Thomas
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


























					Reply via email to