Bug 1745728

Summary: Firewall disabled by default on Fedora Workstation
Product: [Fedora] Fedora Reporter: Vitaly <vitaly>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: bugzilla, egarver
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-19 06:43:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vitaly 2019-08-26 18:30:16 UTC 
Description of problem:
Fedora Workstation since version 22 has disabled by default firewall with opened port range 1025-65535 both on tcp and udp protocols.

Version-Release number of selected component (if applicable):
Any.

How reproducible:
Always.

Steps to Reproduce:
1. Download Fedora Workstation Live and install system.
2. Run firewall-cmd --list-all
3.

Actual results:
Default zone is FedoraWorkstation.

Expected results:
Default zone should be public.

Additional info:
$ firewall-cmd --list-all
FedoraWorkstation (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp1s0
  sources:
  services: dhcpv6-client mdns samba-client ssh
  ports: 1025-65535/udp 1025-65535/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
Comment 1 Eric Garver 2019-08-26 19:26:23 UTC 
(In reply to Vitaly Zaitsev from comment #0)
> Description of problem:
> Fedora Workstation since version 22 has disabled by default firewall with
> opened port range 1025-65535 both on tcp and udp protocols.

I'm not sure what you're reporting. Please clarify.
Are you saying firewalld is disabled, but should be enabled?
Are you saying port 1025-65535 should _not_ be opened?
Does the above only apply to the Live CD?

[..]
> Actual results:
> Default zone is FedoraWorkstation.
> 
> Expected results:
> Default zone should be public.

For Fedora it is expected that FedoraWorkstation is the default zone.
Comment 2 Vitaly 2019-08-26 21:28:12 UTC 
> Are you saying firewalld is disabled, but should be enabled?

FedoraWorkstation zone set by default with opened port range 1025-65535.

> Are you saying port 1025-65535 should _not_ be opened?

All ports must be opened explicitly by user when needed.

> Does the above only apply to the Live CD?

Both Fedora Workstation LiveCD and installed system from it.

> For Fedora it is expected that FedoraWorkstation is the default zone.

With 1025-65535 ports opened? This is a major security vulnerability.

Mailing lists discussion: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/GUAWCR2C7OSVKVXUYHOHWNIBGFVSYK65/
Comment 3 Eric Garver 2019-08-27 15:33:54 UTC 
(In reply to Vitaly Zaitsev from comment #2)
> > Are you saying firewalld is disabled, but should be enabled?
> 
> FedoraWorkstation zone set by default with opened port range 1025-65535.
> 
> > Are you saying port 1025-65535 should _not_ be opened?
> 
> All ports must be opened explicitly by user when needed.
> 
> > Does the above only apply to the Live CD?
> 
> Both Fedora Workstation LiveCD and installed system from it.
> 
> > For Fedora it is expected that FedoraWorkstation is the default zone.
> 
> With 1025-65535 ports opened? This is a major security vulnerability.
> 
> Mailing lists discussion:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/
> thread/GUAWCR2C7OSVKVXUYHOHWNIBGFVSYK65/

Thanks for the pointer. From the thread it seems like this was a decision made many years ago by the Workstation SIG. We'll see where the conversation heads.

FWIW, my opinion is we should not be opening up all these ports. They're making firewalld ineffective. Now-a-days allowing programs to use privileged ports can be disallowed by selinux [1]. Perhaps this is a better fit for Fedora Workstation.

[1] https://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388
Comment 4 Ben Cotton 2020-02-11 17:57:53 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle.
Changing version to 32.
Comment 5 Chris Murphy 2020-04-19 06:43:48 UTC 
The two outstanding problems: applications that don't work when the higher ports aren't open, and their upstreams refuse to fix them is my understanding. And we can't have the UX being that this burdens users with having to troubleshoot; the other is the the GUI app is considered overly complicated for mortal users. So there's a bunch of design and implementation work implied here, rather than a bug. I think it's probably better to start up a new discussion on desktop@ list [1], and help try to figure out solution to some of these problems. Thanks.

[1]
https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/