Description of problem: Fedora Workstation since version 22 has disabled by default firewall with opened port range 1025-65535 both on tcp and udp protocols. Version-Release number of selected component (if applicable): Any. How reproducible: Always. Steps to Reproduce: 1. Download Fedora Workstation Live and install system. 2. Run firewall-cmd --list-all 3. Actual results: Default zone is FedoraWorkstation. Expected results: Default zone should be public. Additional info: $ firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: enp1s0 sources: services: dhcpv6-client mdns samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
(In reply to Vitaly Zaitsev from comment #0) > Description of problem: > Fedora Workstation since version 22 has disabled by default firewall with > opened port range 1025-65535 both on tcp and udp protocols. I'm not sure what you're reporting. Please clarify. Are you saying firewalld is disabled, but should be enabled? Are you saying port 1025-65535 should _not_ be opened? Does the above only apply to the Live CD? [..] > Actual results: > Default zone is FedoraWorkstation. > > Expected results: > Default zone should be public. For Fedora it is expected that FedoraWorkstation is the default zone.
> Are you saying firewalld is disabled, but should be enabled? FedoraWorkstation zone set by default with opened port range 1025-65535. > Are you saying port 1025-65535 should _not_ be opened? All ports must be opened explicitly by user when needed. > Does the above only apply to the Live CD? Both Fedora Workstation LiveCD and installed system from it. > For Fedora it is expected that FedoraWorkstation is the default zone. With 1025-65535 ports opened? This is a major security vulnerability. Mailing lists discussion: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/GUAWCR2C7OSVKVXUYHOHWNIBGFVSYK65/
(In reply to Vitaly Zaitsev from comment #2) > > Are you saying firewalld is disabled, but should be enabled? > > FedoraWorkstation zone set by default with opened port range 1025-65535. > > > Are you saying port 1025-65535 should _not_ be opened? > > All ports must be opened explicitly by user when needed. > > > Does the above only apply to the Live CD? > > Both Fedora Workstation LiveCD and installed system from it. > > > For Fedora it is expected that FedoraWorkstation is the default zone. > > With 1025-65535 ports opened? This is a major security vulnerability. > > Mailing lists discussion: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/ > thread/GUAWCR2C7OSVKVXUYHOHWNIBGFVSYK65/ Thanks for the pointer. From the thread it seems like this was a decision made many years ago by the Workstation SIG. We'll see where the conversation heads. FWIW, my opinion is we should not be opening up all these ports. They're making firewalld ineffective. Now-a-days allowing programs to use privileged ports can be disallowed by selinux [1]. Perhaps this is a better fit for Fedora Workstation. [1] https://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388
This bug appears to have been reported against 'rawhide' during the Fedora 32 development cycle. Changing version to 32.
The two outstanding problems: applications that don't work when the higher ports aren't open, and their upstreams refuse to fix them is my understanding. And we can't have the UX being that this burdens users with having to troubleshoot; the other is the the GUI app is considered overly complicated for mortal users. So there's a bunch of design and implementation work implied here, rather than a bug. I think it's probably better to start up a new discussion on desktop@ list [1], and help try to figure out solution to some of these problems. Thanks. [1] https://lists.fedoraproject.org/archives/list/desktop@lists.fedoraproject.org/