Re: F21 System Wide Change: Workstation: Disable firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 15, 2014 at 10:00 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>
>
> Am 15.04.2014 18:51, schrieb Andrew Lutomirski:
>> On Tue, Apr 15, 2014 at 9:44 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>>>
>>>
>>> Am 15.04.2014 17:40, schrieb Andrew Lutomirski:
>>>> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
>>>
>>>
>>>> How about having an API where things like DLNA can simply
>>>> not run until you're connected to your home network?
>>>
>>> you can prove that this will always happen the right way?
>>> you can implement software *for sure* knowing the fact
>>> what my home network is? if you can do that you get rich!
>>
>> Does the firewall really help?
>
> yes, because there is no single port reachable after the
> installation and you can at least install security updates
> released after the GA of the current Fedora setup until
> you have a port open

This is true even without the firewall.  I'd argue that one of the
Workstation release requirements should be that a default installation
opens no ports to the outside world.

>> Your already-known-to-be-malicious television can mess with
>> ARP or DHCP, intercept an HTTP request, and CSRF the crap
>> running on your computer.
>
> my television can do a CRSF?

If you browse to a page served by your television, it can certainly
send you a CSRF payload.  Whether or not it works depends on whether
any services running on your box are vulnerable.

> my television can send me a mail and click on a link there?

Probably.

But it can certainly hijack any HTTP request you send and replace the contents.

>
> don't talk about things which are *obviously* out of your business
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> and no my television can do nothing because my television is blocked
> on any incoming port on my computer - guess by what: the firewall

Which doesn't matter *at all*, because it's attacking your *outgoing* traffic.

If you have a firewall between your television and the rest of your
network, you win.  But Fedora can't help you with that, no matter what
its default policy is.

--Andy
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux