All non well-known ports open in firewalld open by default

Hello.

This is what I discovered after enabling a few services in Fedora Workstation:

All non well-known ports are open by default. Isn’t it a security risk?

Regards.

3 Likes

Yes, this is the default configuration of Fedora Workstation.

If this is a security risk? :thinking: Security vs simplicity? :thinking:

Something to read about this decision:

6 Likes

I agree, I find those default settings rather confusing. Fedora is pretty stable, pretty popular (you can order a Thinkpad preinstalled with Fedora) and really suitable for the non-developer end-users (like myself) who just wants to get stuff done without thinking about firewall settings.

Why not secure by default?

Anyone who needs those ports open (developers, test-servers, …) has the knowledge to easily punch a hole in the FW. I am honest, I don’t get it.

Whatever, close those ports or run firewall with a product other than FedoraWorkstation

2 Likes

BTW if you haven’t any service listening on these ports, why using a firewall? On the other hand, if you are a rookie or an average user and you have a firewall that blocks all the ports, and you start a service that needs to listen on a port > 1024 (like VNC, like synchting, like a peer to peer service, etc.), the firewall will block it, and you don’t have the knowledge to open the firewall, and simply the service will not work and you will complain that Fedora sucks.
However, the first security by default measure is knowing what you are doing.

1 Like

This isn’t true, the old firewall configuration used to break several GNOME features. Please read the some of the discussions alciregi linked to.

Fedora should not become an operating system that’s only useful for software developers and system administrators who know how to operate a firewall. If you’re interested in a more restrictive firewall configuration, I’d invite you to try brainstorming or designing a firewall system that works more like Windows Firewall, where the user is prompted to allow particular applications to access the network. Anything that exposes protocols or ports is too complex to expose to users. It would need to be a complete and total rethink of how a Linux firewall is designed. So far, nobody has actually been interested in developing a firewall that would meet these requirements, so we stick with firewalld in a fairly permissive configuration.

P.S. Our firewall policy is still the most restrictive of major distros that I’m aware of. There is no firewall running at all in Ubuntu or Debian, you have to enable it manually. In contrast, Fedora’s firewall does block most well-known ports by default.

5 Likes