On Tue, Aug 27, 2019 at 06:58:06AM -0700, John Harris wrote: > On Tuesday, August 27, 2019 4:37:24 AM MST David Kaufmann wrote: >> Both option have their disadvantages - in the case of "maintainer opens >> ports" the ports are open as soon as the package gets installed, and >> software not run/installed via package manager will give the impression >> of "just not working". > > Why in the world would somebody from the security team recommend opening a > port on the firewall as the software is installed, before it's even > configured?
I'm not trying to recommend it, this is already done, e.g. for mdns, samba-client, or ssh. (To be fair that happens on os install, not necessarily on package install) I'm trying to list the problems with those options. >> Also a firewall is not that much protection as it looks like - imagine >> any port (above 1024) which was opened on the firewall (either by >> maintainer or user), but where no program is listening on. The >> additional barrier to run e.g. a c&c server on that machine would just >> be an additional portscan in before deploying the malware. > > Just running a firewall reduces the attack vector needed to deploy potential > malware to begin with. Very true. Unfortunately it is usually done to shield services which should not be there in the first place. Also stuff like rate-limiting or ip-header-checks are usually done by firewalls, hence my emphasis on making sure users don't start to disable the whole firewall because it is "easier". ~ David
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
