Hello, 2014-04-16 14:28 GMT+02:00 Josh Boyer <jwbo...@fedoraproject.org>:
> For a quick summary: > > 1) With a firewall enabled, network services don't work without manual > intervention. > To be perfectly clear, vast majority of network applications work perfectly fine. Network *servers* need manual intervention. 2) With firewalld active, any privileged application can open a port > in the firewall (and most will be privileged because they will be > packaged that way.) > No; most applications are not packaged in any way to get extra privilege to manage a firewall, and they *shouldn't*; applications poking holes in a firewall for themselves is pointless cargo-cult nonsense. Some *user accounts* (members of wheel) are set up to be sufficiently privileged/root-equivalent so that they can open a port, but they really *are* root-equivalent so the specifics of what they can do to the firewall are not much relevant... at that point you really either trust all software you run, or not. There *could* be applications specifically dexigned to open a port in the firewall even for unprivileged users (e.g. by having a separate privileged helper talk to firewalld), I don't think there actually are any. 3) With no firewall enabled and no network services started, there is > no security issue because there are no open ports. > There still are all the security issues with outgoing communication; in particular, the browser does matter (much more than say portmap) and the firewall cannot protect it. 4) With no firewall but active network services, you have open ports > just as you would in the firewalld or manual intervention firewall > case > No because 2) is false... or yes for the wheel-member users. Mirek
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct