Bug 1453195

Summary: Default firewall zone seems to be an insecure setting by default
Product: [Fedora] Fedora Reporter: Rolf Fokkens <rolf>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-22 12:05:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rolf Fokkens 2017-05-22 11:22:50 UTC 
Description of problem: Apparently firewalld is open to (m)any IP connections by default for new NetworkManager connections.

When connecting to a new WiFi network only a WiFi password (key) is requested, and next you are connected. The firewall zone for this NM connection is 'Default'.

This 'Default' Zone however is configured in firewall-config (another tool that needs te be installed manually) in Options as Fedora-Workstation. And this implies that MySQL, SSHD etc are all open.

This 'Default' seems very very wrong. When connecting a new WiFi network the 'Default' setting should be 'block'. If users intentionally want to open some network ports they shoud change this my hand afterwards.


Version-Release number of selected component (if applicable):
firewalld-0.4.4.4-1.fc25.noarch

How reproducible:
Install new Fedora 25, create a WiFi connection in an internet cafe, and enjoy the lack of insecurity that should surprise you

Steps to Reproduce:
1. Install new Fedora 25
2. Create a WiFi connection
3. Start e.g. mysql/ssh or whatever
4. Allow new 'friends' to connect to mysql/ssh or whatever

Actual results:
Open network by default

Expected results:
Closed network by default

Additional info:
Comment 1 Thomas Woerner 2017-05-22 12:05:16 UTC 
I am sorry, there is nothing I can do about this:

https://pagure.io/fesco/issue/1372#comment-27998

https://bugzilla.redhat.com/show_bug.cgi?id=1172353#c11

*** This bug has been marked as a duplicate of bug 1172353 ***
Comment 2 Rolf Fokkens 2017-05-22 12:52:09 UTC 
This is deeply concerning. Every committee/wg points to another committee/wg, and since Fedora 21 nothing has been done?

Ah, why worry. It's only security.