Cryptically zoned out Firewall

Chuck Forsberg WA7KGX N2469R caf at omen.com
Thu Dec 6 16:56:24 UTC 2012 

On 11/06/2012 07:55 AM, Thomas Woerner wrote:
> On 11/06/2012 04:26 PM, Thomas Woerner wrote:
>> On 11/06/2012 01:07 AM, Chuck Forsberg WA7KGX N2469R wrote:
>>> The new firewall replaces the old "trusted interface" with
>>> multiple "zones" .  This would be fine if one could easily
>>> tell which zone each network interface was in and
>>> make changes.
>>>
>> firewalld is not selecting the zone for an interface related to a
>> connection. NetworkManager does this. The zone is set in the ifcfg
>> config file, if it is not the default zone.
>>
>>> The only to change an interface's zone is with an arcane
>>> firewall-cmd incantation.
>>>
>> There is a patch for the gtk nm-connection-editor to add a very simple
>> selection menu for connections. The NM connection editor in KDE is
>> providing support for this already.
>>
> This has been integrated into network-manager-applet upstream and 
> should hit Fedora soon. Within nm-connection-editor the zone for 
> interfaces related to a connection can be changed.
>
>>> Given the new concepts of persistence and zones, the
>>> admin>firewall applet needs to present these concepts
>>> to the user in a clearly intuitive, easy to change way.
>>>
>> Ok, the firewall-applet should provide information on how to do change
>> zones for connections, I agree.
>>
>>> The current view should be radio buttons.
>>> Each interface should have a selector for which zone
>>> it should be in.  Finally, do we need so many zones?
>>> A default of two zones should suffice and be more
>>> understandable.  At least don't show zones that aren't used.
>>>
>> There are the base zones: block, drop, public, work and trusted. The
>> other zones have been added on request. You can also add own zones
>> according to your needs.
>>
>> Thomas
>
It is a month later and and there is no apparent coordination on zones 
between
Network Manager and firewall zones.  Just now I tried to bring up 
"firewall" to see
if it had a useful help option and all I got was a dbus error.

If one can add zones at will, let's ship Firewall with two or three 
zones - say public, work,
and trusted.  And each network config GUI should have a GUI to assign a 
zone to
each network interface.


-- 
Chuck Forsberg WA7KGX N2469R     caf at omen.com   www.omen.com
Developer of Industrial ZMODEM(Tm) for Embedded Applications
   Omen Technology Inc      "The High Reliability Software"
10255 NW Old Cornelius Pass Portland OR 97231   503-614-0430

More information about the test mailing list