Bug 446828
| Summary: | Firewall should not block Multicast DNS and CUPS by default | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim Niemueller <tim> |
| Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | aquarichy, bloch, bnocera |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-07-22 13:10:26 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Tim Niemueller
2008-05-16 11:06:34 UTC
I am sorry, but this is not a good example, because "Aunt Tilda" might not want to share with the whole world. Also sharing a printer over a ppp or isdn line might not be a good idea in general. What if you want to share it in the intranet only and not anyone else in the world? Opening ports or services per default is a security risk. Multicast DNS does not use any point-to-point connections by design unless explicitly enabled in the config file, so PPP/ISDN/DSL/whatever connections are not a problem. Also it is only enabled for link-local peers. I can understand that for example in a cafe with a wifi hotspot you'd like this disabled. Maybe this should be integrated with NetworkManager in that case to allow disabling certain services for connections. This pretty quickly comes down to a FirewallKit... Not providing a sensible and easy way (and s-c-f does not count as such) it just gives a very bad experience. Especially since the requested ports are only relevant on the local network they do not pose the classical "attack over the internet" risk. SSH is open by default, based on the recent events this is much more dangerous than multicast service discover/name lookup and announcing printers I'd say. Besides that I didn't see any related issues in Avahi, I think it has a pretty good track record. I'm also not aware of a problem in CUPS that was related to the browsing functionality. I'm not saying because there has been no problem there will be no problem, but using these services over the last past years has not been a problem. The initial firewall configuration is done in anaconda, therefore this bug should be assigned to anaconda, it should enable the desktop defaults for the firewall. Where are desktop defaults defined? Should we re-assign to anaconda then? Especially if this is meant to be the desktop firewall I'd say to enable these ports to make networking just work. An option to set a fixed port for file sharing would be cool though to be able to allow this to work with the standard firewall as well. anaconda is using lokkit for the initial firewall configuration anyway to open the ssh port. It simply can use "lokkit --default=desktop" for a desktop and "lokkit --default=server" for a server machine. |