Hi everyone, So in response to the ongoing discussion about Firewall functionality and the desktop we had a call at the end of last week with some representatives from both the desktop and firewall development teams, trying to figure out a good compromise and a way forward. I hope people can take the time to look over the ideas we discussed and let us know if you think it is a workable solution.
On the call was: Thomas Woerner Matthias Clasen Bastien Nocera Daniel Kopecek Jiri Popelka Peter Vrabec
We had a wide ranging discussion going from what is doable in the Fedora 21 timeframe to what we want from a firewall solution in the long run, what the setup is like on other operating systems, the tradeoffs between security and usability, API and adoption, ease of sharing versus unintended sharing and different corner cases where the different models might break down a bit.
We all agreed on the following core principles * We want users to be as secure as possible * We want users to have their privacy protected as well as possible * We want users to have a good experience using our products * We want users to be able to use services such as DLNA, Chromecast, Avahi and more without having to search on Google, and more often than not be told that the fix is to disable the firewall. * We all agree that there is no perfect solutions on offer here. Just a range of different tradeoffs. A system with a running firewall isn't secure nor is a system without a firewall insecure. Instead they exist on a continium of 'more secure' and 'less secure'.
The challenges seen: * With the current default a lot of services don't work out of the box because the firewall silently blocks them * There doesn't seem to be any non-expensive way for the system to detect that a service is running and being blocked by the firwall. * There is very limited use of the firewalld API for doing things like port unlocking and similar due to it being a predominately Fedora and RHEL only solution currently * Some application developers who do look into using the current API find the API hard to use * The current NetworkManager UI to change zones is both maybe a bit hidden away and also the Zones options listed there are not intuitive or documented in the UI.
Plans for Fedora 21 * The Desktop team will look into creating a UI that asks you when you connect to a new wireless network if you consider it trusted or not. Exact wording of the question and look of dialog etc. will need to be worked out. This setting will be remembered for that network. If user say trusted the zone used will be 'trusted', if not trusted then current default will be used. Should be simple enough to not confuse users, yet improve their security on public networks. * Other connection types will keep the current default which sucks a bit for your home ethernet, but we don't currently have a good way to identify your ethernet connection and popping up a dialog every time you connect is probably a worse user experience than having to google a bit.
Matthias started a prototype of this already here: https://bugzilla.gnome.org/show_bug.cgi?id=727580
Long term plans * Work with NetworkManager team to see if we can come up with a way to identify ethernet connections in a similar manner * Look into proposing a new DBUS API for firewalld * We will keep talking to see if there are more granular approaches that can be developed as we go forward. For many cases the trusted/untrusted question is a bit to simple. For instance you probably trust your work network, but that doesn't mean you want to share your beach vacation photos on the office network. * Look into using the zones descriptions somehow in the NetworkManager Zone setting UI to make it a bit more understanable than just a list of names. FirewallD team will work on making the descriptions internationalizable.
Matthias filed two bugs related to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1091067 split off zone configuration in subpackages https://bugzilla.redhat.com/show_bug.cgi?id=1091068 overprotected api