[athrun]

the firewall question is interesting. I guess I understand their perspective: If nothing is listening/running then what’s the point of the firewall? The system is immutable so the security posture is a known quantity and cannot change at runtime. You could argue that running an additional firewall service would actually be increasing the attack surface, in the sense that more code is worse than the absence of code.

Not sure I agree with their stance, but good on them for having the courage to revisit some our default assumptions. Some decisions will work out and others they’ll have to finetune.

[throwaway89988]

The base system does not need a Firewall, according to them, and they might be correct about that or not.

IMHO the point of having a firewall which simply denies all incoming connections is, that once a user starts installing a few programs, sooner or later some of them might open ports, even w/o malicious intent.

If they want to provide an easy to use and secure system, IMHO there should be a firewall and each port has to be opened explicitly.

In the end, this is really down to opinion and there is no objective true answer, so I'd rather use Fedora-Atomic if I need immutability.

[raesene9]

I can see where the no firewall argument is coming from and definitely on my own Linux laptop, I try and keep the number of ports listening down as much as possible, but it is tricky and it requires a lot of vigilance as sometimes applications you wouldn't expect to, will start services. Things like Spotify and Steam can open ports.

So having a firewall running can provide a bit of extra protection in case you don't always check to see what ports you have open/listening.

[theodric]

What's the benefit to a traditional consumer application of opening ports these days, besides maybe for local network data exchange (which, I assume, is what Steam does since I know it will sync game updates between machines on the same subnet). I would hazard that the global number of laptops and desktops with public IPv4 addresses in 2024 is probably in the triple digits, given that basically every provider I'm aware of hands off with a "Wi-Fi modem" that converts whatever weird delivery medium (fiber, DSL, cable, etc.), gets its own maybe-public IP, and does NAT for clients. Hell, I don't even have my own IPv4 address since Starlink does CGNAT.