What I HATE about F11

Kevin Fenzi kevin at scrye.com
Sun Jun 14 18:41:27 UTC 2009 

On Sun, 14 Jun 2009 20:08:31 +0200
Lennart Poettering <mzerqung at 0pointer.de> wrote:

> Gah. Allowing packages to pierce the firewall just makes the firewall
> redundant.
> 
> I still think that the current firewall situation on Fedora is pretty
> much broken. It's a bit like SELinux: it's one of the first features
> most people disable.

I don't see that. Perhaps people don't mention it much, but I very
seldom hear from people on #fedora or the forums that they disabled the
firewall. (Where I still do hear people say they disabled selinux). 

> Fedora is the only big distro that enables a firewall by default and

from a quick look (feel free to correct me here): 

debian: no firewall by default
ubuntu: default since hardy (ufw)
suse: default (SUSEFirewall2)
mandriva: default 

> thus creates a lot of trouble for many users. I think I mentioned that
> before, and I can only repeat it here: we should not ship a firewall
> enabled by default, like we currently do. If an application cannot be
> trusted then it should not be allowed to listen on a port by default
> in the first place. A firewall is an extra layer of security that
> simply hides the actual problem.

I agree somewhat. Some services should not listen by default until they
are configured. I don't think disabling the firewall matters tho, those
need to be fixed in any case. 

> Now, it's my impression that some people who control the packages in
> question and believe in all this security theater more than I do, seem
> to be unwilling to loosen the default firewall. So as a bit of a
> compromise here's what I suggest:
> 
> Add a very simple per-interface firewall profile system to
> NetworkManager. Something that is easily reachable from the NM
> applet. Something with just two simple profiles by default: one that
> allows everything for use in trusted networks, and one that just
> allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
> APs). Admins could then add more profiles if they feel the need for
> it. And one could bind those profiles to specific networks, so that
> people would just have to configure them once. Of course, as
> mentioned, these firewall profiles need to be per-interface so that a
> vpn interface can be trusted, while the underlying WLAN iface doesn't
> have to be trusted.

Somewhat agreed, but they should use a more general setup like a
iptables.d and config files, they should NOT be internal to
NetworkManager or perhaps even managed by it (it could call
system-config-firewall or something). 

> Lennart

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090614/a2e84361/attachment.sig>

More information about the fedora-devel-list mailing list