[Bug 1213627] New: Firewalld and container compatibility leading to not include a firewall by default in Aeon?
https://bugzilla.suse.com/show_bug.cgi?id=1213627 Bug ID: 1213627 Summary: Firewalld and container compatibility leading to not include a firewall by default in Aeon? Classification: openSUSE Product: openSUSE Aeon Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Base Assignee: rbrown@suse.com Reporter: kjong+lists@neobits.nl QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Hi, I'm intrigued by the Aeon project, but the choice of not installing a firewall by default worries me. I know I can enable the firewall pattern in the installer, or install it later on with `transactional-update package install firewalld`. And that works fine. But not having it there in a default installation opens up certain attack vectors in my opinion. I've read some reasoning about this on online platforms, such as that a firewall is not needed or would mess up container setups. I'm not so sure if I agree to the point of not including a firewall by default. If it's in the way for a user that wants to do something "special", then that user can disable/modify the firewall. But by default it would make sense to have the protection of a firewall. I didn't open this issue to debate it, but to understand the reasoning better. Maybe I'm wrong, that's also possible. Then this would be a nice reference point for future questions. On the firewalld page it mentions compatibility with Podman and Docker (iptables only):
Applications and libraries which support firewalld as a firewall management tool include:
NetworkManager libvirt podman docker (iptables backend only) fail2ban
I also host a Discourse forum on Debian for a couple of years, which runs in a Docker container, with firewalld enabled. I have not encountered issues so far. It of course depends on the use case of when issues may arise with firewalld. But this is an example of when the firewall would not be an issue and is good to have it around as a layer of protection. One of many layers, as security should be applied. If one layer fails, there is another one to protect the data. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1213627 https://bugzilla.suse.com/show_bug.cgi?id=1213627#c1 Richard Brown <rbrown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #1 from Richard Brown <rbrown@suse.com> --- This is not a bug report· Please do not misuse our platforms to waste more of our developers times than you already have via other communciation platforms. It does not endear you to receiving the more verbose answers you clearly (and unreasonably) demand. Aeon exists to be a simple, user friendly desktop operating system The presence of a firewall would lead to users workloads not working out of the box - eg. Minecraft flatpak being unable to host games without needing to unblock the port There is no current userspace friendly tooling to do this automatically/easily (eg. like Windows firewall popups) Also, there has been many reports of firewalld conflicting with podman, where changes to firewall rules break existing podman ports being opened and visa versa So, to avoid problems and keep to the original goals of the Project, there is no firewall present All applications should be sandboxed on Aeon, and running as the user (so not using common ports) so the risks should be minimal. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com