Description of problem: Apparently firewalld is open to (m)any IP connections by default for new NetworkManager connections. When connecting to a new WiFi network only a WiFi password (key) is requested, and next you are connected. The firewall zone for this NM connection is 'Default'. This 'Default' Zone however is configured in firewall-config (another tool that needs te be installed manually) in Options as Fedora-Workstation. And this implies that MySQL, SSHD etc are all open. This 'Default' seems very very wrong. When connecting a new WiFi network the 'Default' setting should be 'block'. If users intentionally want to open some network ports they shoud change this my hand afterwards. Version-Release number of selected component (if applicable): firewalld-0.4.4.4-1.fc25.noarch How reproducible: Install new Fedora 25, create a WiFi connection in an internet cafe, and enjoy the lack of insecurity that should surprise you Steps to Reproduce: 1. Install new Fedora 25 2. Create a WiFi connection 3. Start e.g. mysql/ssh or whatever 4. Allow new 'friends' to connect to mysql/ssh or whatever Actual results: Open network by default Expected results: Closed network by default Additional info:
I am sorry, there is nothing I can do about this: https://pagure.io/fesco/issue/1372#comment-27998 https://bugzilla.redhat.com/show_bug.cgi?id=1172353#c11 *** This bug has been marked as a duplicate of bug 1172353 ***
This is deeply concerning. Every committee/wg points to another committee/wg, and since Fedora 21 nothing has been done? Ah, why worry. It's only security.