#1372 "Workstation" Product defaults to wide-open firewall
Closed None Opened 4 years ago by kkofler.

= phenomenon =
The Fedora 21 "Workstation" Product defaults to keeping the firewall wide-open (ALL ports >1024 are open), in IMHO clear contempt of FESCo's previous decision (see #1301) of not allowing the firewall to be disabled, given that what they shipped effectively almost amounts to leaving the firewall disabled entirely. This means Fedora 21 Workstation (the product promoted as the default Fedora product) ships with a major security vulnerability.

See [https://lists.fedoraproject.org/pipermail/devel/2014-December/205010.html this lengthy devel mailing list thread] and [https://bugzilla.redhat.com/show_bug.cgi?id=1172353 RH#1172353 in Bugzilla].

= reason =
Either FESCo did not clearly communicate the expectations to the Workstation WG (#1301 mentions that there was also some internal dissent), or the Workstation WG deliberately did not want to understand them. Either way, any requests to change this dangerous default setup are falling on deaf ears.

= recommendation =
Require that the firewall configuration be modified to close all these ports in a Fedora 21 security update as soon as possible.

I would additionally recommend to drop the idea of product-specific configuration entirely for Fedora 22, given that this is what it had lead to, and all the issues the implementation is causing (different conflicting fedora-release-* packages, the requirement for the --product=* !FedUp option, etc.).


My own two cents -- I'm happy with product-specific configurations, but perhaps during this transition FedUp should get some smarts - make it try and infer the way the current F20 installation is used if the product is not given manually, and then ask the user to confirm or override this inferred value.

Replying to [ticket:1372 kkofler]:

= reason =
Either FESCo did not clearly communicate the expectations to the Workstation WG (#1301 mentions that there was also some internal dissent), or the Workstation WG deliberately did not want to understand them. Either way, any requests to change this dangerous default setup are falling on deaf ears.

Not making the changes you request doesn't mean it "fell on deaf ears". All the comments on this thread have been replied to.

Replying to [ticket:1372 kkofler]:

I would additionally recommend to drop the idea of product-specific configuration entirely...

Isn't that the '''entire point''' of different products? i.e. we allow the cloud product choose different defaults to the workstation product?

Well, if that's the entire point (I still don't understand what the point of Products is supposed to be), then we can just do away with Products entirely and make everything into Spins.

Replying to [comment:7 hadess]:

Replying to [ticket:1372 kkofler]:

= reason =
Either FESCo did not clearly communicate the expectations to the Workstation WG (#1301 mentions that there was also some internal dissent), or the Workstation WG deliberately did not want to understand them. Either way, any requests to change this dangerous default setup are falling on deaf ears.

Not making the changes you request doesn't mean it "fell on deaf ears". All the comments on this thread have been replied to.

Just because a reply was given does not mean a satisfactory reason was provided.

For me personally, despite all other issues I raise, the crux of this matter, as raised in the BZ is:

"Users are intentionally deceived. When they look they will see "firewall is active" without realising that it practically amounts to "open". We are taking control away from our users."

This means that while firewalld reports it is in a "secure" state, 98% or more of the systems ports are open. Given how large this number is, the firewall may as well be "disabled".

Fesco ticket 1301 ( https://fedorahosted.org/fesco/ticket/1301 ) states:

"agreed Change is rejected (-5,+2,0)

There was additional discussion around asking firewalld and workstation folks to try and come up with a better setup as well."

And:

" That starting point is the relatively trusting and open "home" zone (which was why it was chosen as a contingency). "

This change was rejected. For token reasons, firewalld is enabled, with 98% of it's ports open. As far as I am viewing this, firewalld may as well be disabled at this point. Additionally, this statement says relatively trusting, not completely open.

I want to propose that:

  • The change allowing port 1024 - 65535 be overturned, and removed thus resolving the BZ.

I would also suggest that:

  • That firewalld team be worked with more to provide a better solution to the application-port opening issue, than defaulting to open. Many suggestions have been provided such as DBUS api's or otherwise.

Sincerely,

William

adding meeting keyword.

(I apologize, I am on a (very brief pause from a) vacation, I have read nothing of the devel@ thread and may be generally completely off-base.)

I am afraid I won’t be able to join today’s FESCo meeting.

Any of “the Workstation WG has autonomy in this matter”, “keep the current status”, “set up a more restrictive firewall by default” are at least minimally plausible resolutions to this ticket, even if I don’t think all three are the best options at the same time ☺ (I have been somewhat involved in the current Workstation defaults, so I won’t advocate to tighten them in this ticket. But that’s all I have time for to write now.)

However, if the FESCo discussion went in the direction of having applications open their own firewall ports, as e.g. comment #14 suggests, I very strongly disagree and I therefore want to ask FESCo to defer the final decision to January if the discussion did go in this direction, to allow me to argue against it.

I have an appointment at the same time as the meeting today. Therefore I want to ask if it would be possible to move the discussion and decision to an other FESCo meeting.

Replying to [comment:19 twoerner]:

I have an appointment at the same time as the meeting today. Therefore I want to ask if it would be possible to move the discussion and decision to an other FESCo meeting.

This would be good for us as well, since Bastien is on an airplane.

This will be on the agenda for tomorrow's FESCo meeting. Consider this a reminder to interested participants to attend.

AGREED: FESCo trusts the Workstation WG to properly research and develop a sensible firewall solution and will stay out of the way. (+5, 3, -0) (sgallagh, 18:40:04)

Login to comment on this ticket.

Metadata