[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: What I HATE about F11



Lennart Poettering wrote:
On Mon, 15.06.09 12:41, Thomas Woerner (twoerner redhat com) wrote:

So, what should happen here? Should we leave the firewall enabled in these cases* by default and require admins to open them? If so, is there any way that we can make this easier in some Packagekit-oriented manner? If not, how should we define that packages indicate that they need ports opened? Should this be handled at install time or run time?
Gah. Allowing packages to pierce the firewall just makes the firewall
redundant.

I still think that the current firewall situation on Fedora is pretty
much broken. It's a bit like SELinux: it's one of the first features
most people disable.

SELinux and the firewall configuration are trying to make the system secure before something happens. If your system is compromised, then it is far too late to react. If you do not care about security, then disable it and have fun with the results.

You know, there is one big difference between SELinux and the default
Firewall. The former doesn't inhibit the use of an application (at
least if the policy is written correctly) because it whitelists every
operation an application should be able to use but nothing else. OTOH
the default firewall actively breaks a lot of applications we ship by
default. It most of the time it even does that silently, without
reporting EPERM or suchlike back to the application.

Really, if SELinux is set up properly nobody should notice it. However
the default firewall breaks a lot of services, and is hence very much
noticeable.

I wonder why other systems are getting more restrictive and secure over time and for Linux people request the opposite direction.

Oh my. I wonder why other systems work by default and Fedora doesn't.

Fedora is the only big distro that enables a firewall by default and
thus creates a lot of trouble for many users. I think I mentioned that
before, and I can only repeat it here: we should not ship a firewall
enabled by default, like we currently do. If an application cannot be
trusted then it should not be allowed to listen on a port by default
in the first place. A firewall is an extra layer of security that
simply hides the actual problem.

How do you want to get to "it should not be allowed to listen on a port by default"? Maybe with SELinux?

Yes, SELinux is fine for that. Or simply by not shipping the app at
all if it's shit.


According to your own statement SELinux is disabled for most users. Therefore this is not possible.

An other thing: How do you limit access to a network segment with SELinux? For this you need to have a firewall. Please remember that you might not want to share your database for use in your home office intranet with the world if you are connected to a internet wifi access point while waiting for a flight. Here it should be possible to specify the type of the connection and mark the wifi connection as non trusted. Changing the configuration of the service itself might lead to a configuration chaos, because you have to be able to configure every service properly according to your black and white lists.

Also do not forget to think about security holes in applications and services. They do exist. Saying that you do not need to have the system as secure as possible, because there is no risk is like ignoring reality. If you want to drop all packages, which have or had at minimum one security problem, then you will end up without any applications and packages.

Lennart

Thomas


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]