Description of problem: FedoraWorkstation ships with a policy that allows ports 1024-65535 both tcp and udp to be open. This is a critical security issue within the product as we are radically changing behaviour and expectation. * Users are intentionally deceived. When they look they will see "firewall is active" without realising that it practically amounts to "open". We are taking control away from our users. * Exploited applications are now more easily able to communicate back to C&C systems. Most applications are not "sandboxed", and even if they were, this sandboxing is not an excuse to open up other parts of the system. * In some circumstances the impact may be wider than the "local network" especially when you consider ipv6. This has been getting extensive discussion and resistance on the fedora-devel mailing list. I would like to see these rules removed from firewalld, as to reiterate, we are deceiving users when we claim the firewall is active, when the reality is that it is wide open.
Discussion's URL https://lists.fedoraproject.org/pipermail/devel/2014-December/205010.html
> * Exploited applications are now more easily able to communicate back to C&C > systems. Most applications are not "sandboxed", and even if they were, this > sandboxing is not an excuse to open up other parts of the system. As was pointed out on the ist, this is not true. The firewall has never stopped outgoing connections, so a change in firewall policy cannot make 'communicating back' any easier.
FESCo ticket filed: https://fedorahosted.org/fesco/ticket/1372
(In reply to Matthias Clasen from comment #2) > > * Exploited applications are now more easily able to communicate back to C&C > > systems. Most applications are not "sandboxed", and even if they were, this > > sandboxing is not an excuse to open up other parts of the system. > > As was pointed out on the ist, this is not true. The firewall has never > stopped outgoing connections, so a change in firewall policy cannot make > 'communicating back' any easier. It allows new sockets to be formed presenting another possible attack or re-entry surface, or easier ways to make persistent malware possible.
Agreed. This is really a bad joke, especially the argumentation of Bastien Nocera on that mailing list.
Shouldn't "firewall-cmd --set-default-zone=FedoraServer" or " firewall-cmd --set-default-zone=block" workaround the problem?
The problem is not that it's not possible to fix the firewall configuration (it is), but that it is insecure (and IMHO broken) by default. Most users won't even realize that the default configuration is totally insecure, and even if they do, the best GUI way to fix it is not installed by default either. (It is possible to set it for every networking interface in the default GUI, but that means that if a new interface is installed, it still defaults to insecure. Setting the global default is only possible with the firewall-cmd command-line tool, or by manually installing and running firewall-config. Neither is discoverable for the very kind of user the insecure default was allegedly set for, the "not technically competent" user.)
Kevin, thanks, but I understood that the discussion was about the default. Since I am relatively new to Fedora and therefore firewalld, the question I meant to ask in comment 6 was rather: "Does firewall-cmd --set-default-zone=block take care of the problem in reliable way or is the insecure zone still used by some stuff?"
(In reply to Helmut Horvath from comment #8) > "Does firewall-cmd --set-default-zone=block take care of the problem > in reliable way or is the insecure zone still used by some stuff?" Yes, that should take care of the problem unless you've explicitly set some interface/connection to be in FedoraWorkstation zone.
Hit this issue this morning. IMHO the notion of a wide-open firewall is an oxymoron and a dangerous deception. If the default is wide-open, then why even install a firewall at all? Who are we trying to fool? Having a wide-open default state on the Workstation product adds a new complexity and risk in meeting our industry security compliance requirements. For example, I now have to ensure the default zone is not Workstation; and ensure that future updates don't change that; and ensure that libvirt interfaces are added to firewalld and assigned to a sensible zone (i.e. not block) before creation; and maintain an audit that machines are compliant, etc. For the added effort, what do I get as a benefit from the default configuration of being wide open?
Bugzilla is not an appropriate forum for comments on the firewall policy; please use <desktop.org>. See the archives of that list for copious discussion on the matter. Thanks!
*** Bug 1453195 has been marked as a duplicate of this bug. ***