Hello,
Just some clarifications so that we are all on the same page; those don't
significantly affect the larger discussion though...
2014-04-15 17:40 GMT+02:00 Andrew Lutomirski <l...@mit.edu>:
> Can someone explain what threat is effectively mitigated by a firewall
> on a workstation machine? Here are some bad answers:
>
<snip>
> - WebRTC, VOIP, etc. issues? These use NAT traversal techniques that
> are specifically designed to prevent your firewall from operating as
> intended.
>
That's imprecise; NAT traversal techniques are designed to allow a
*specific* counterparty through the firewall, not everyone on the Internet
like disabling the firewall would do.
- DLNA / Chromecast / whatever: wouldn't it be a lot more sensible
> for these things to be off until specifically requested?
That would be about equivalent to controlling them only via a firewall.
> Who actually
> uses a so-called "zone" UI correctly to configure them?
"Who actually uses any other UI correctly to configure sharing
zones?"—nobody because there apparently isn't any. Firewalld has a zone
implementation that can be improved upon.
> How about
> having an API where things like DLNA can simply not run until you're
> connected to your home network?
>
Firewalld has a zone implementation that can be improved upon.
Also, having a firewall on exposes you to a huge attack surface in
> iptables, and it doesn't protect against attacks targeting the
> kernel's IP stack.
>
*Nothing* will ever protect you against attacks targetting the kernel's IP
sack, that's a strawman. And the entire premise of a firewall is that the
attack surface of the firewall (iptables in this case) is smaller than the
attack premise of applications behind; intuitively it's very likely to be
true, and AFAICT it's also been true historically.
Mirek
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
