What I HATE about F11

[Thomas Woerner]

Lennart Poettering wrote:
> On Sun, 14.06.09 18:34, Matthew Garrett (mjg at redhat.com) wrote:
> 
>>> So, solving this is pretty easy, even for newbies. But I agree that the
>>> error message will not help someone without advanced knowledge. Although
>>> I think people running Samba generally will know where to look for the
>>> problem.
>> I think this is actually a problem that needs solving. We have several 
>> network services that are either installed by default or might be 
>> expected to be part of a standard setup, but which don't work because of 
>> the default firewall rules. The Anaconda people have (sensibly, IMHO) 
>> refused to simply add further exceptions to the firewall policy.
>>
>> So, what should happen here? Should we leave the firewall enabled in 
>> these cases* by default and require admins to open them? If so, is there 
>> any way that we can make this easier in some Packagekit-oriented manner? 
>> If not, how should we define that packages indicate that they need ports 
>> opened? Should this be handled at install time or run time?
> 
> Gah. Allowing packages to pierce the firewall just makes the firewall
> redundant.
> 
> I still think that the current firewall situation on Fedora is pretty
> much broken. It's a bit like SELinux: it's one of the first features
> most people disable.
> 
SELinux and the firewall configuration are trying to make the system 
secure before something happens. If your system is compromised, then it 
is far too late to react. If you do not care about security, then 
disable it and have fun with the results.

I wonder why other systems are getting more restrictive and secure over 
time and for Linux people request the opposite direction.

> Fedora is the only big distro that enables a firewall by default and
> thus creates a lot of trouble for many users. I think I mentioned that
> before, and I can only repeat it here: we should not ship a firewall
> enabled by default, like we currently do. If an application cannot be
> trusted then it should not be allowed to listen on a port by default
> in the first place. A firewall is an extra layer of security that
> simply hides the actual problem.
> 
How do you want to get to "it should not be allowed to listen on a port 
by default"? Maybe with SELinux?

Please remember that there are still services like for example RPC that 
are using random ports which might be one of those that are open.

> Now, it's my impression that some people who control the packages in
> question and believe in all this security theater more than I do, seem
> to be unwilling to loosen the default firewall. So as a bit of a
> compromise here's what I suggest:
> 
I do not think that security is a theater. If the system you are using 
lacks security and someone could copy and/or remove your private or work 
data, then you might have big problems.

> Add a very simple per-interface firewall profile system to
> NetworkManager. Something that is easily reachable from the NM
> applet. Something with just two simple profiles by default: one that
> allows everything for use in trusted networks, and one that just
> allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
> APs). Admins could then add more profiles if they feel the need for
> it. And one could bind those profiles to specific networks, so that
> people would just have to configure them once. Of course, as
> mentioned, these firewall profiles need to be per-interface so that a
> vpn interface can be trusted, while the underlying WLAN iface doesn't
> have to be trusted.
> 
If there would be a mechanism to define the type of an internet 
connection or a network segment, then it would surely be possible to 
make this work even with system-config-firewall. But at the moment there 
is no such mechanism.

Here is the latest request to add a mechanism like this:
https://bugzilla.redhat.com/show_bug.cgi?id=472784

> Lennart
> 

Thomas