On Fri, Apr 7, 2017 at 3:03 PM, Matthew Miller <mattdm(a)fedoraproject.org> wrote:
On Fri, Apr 07, 2017 at 10:09:30PM +0200, Lars Seipel wrote:
> Please no. I find this utterly confusing. What is the difference between
> a "trusted home" and a "trusted work" network? Why does it even
matter
> if "all the computers on this network" are at my home or my workplace?
Huh. I find the resistance to this to be the confusing thing. Do you
really not know, or are you imaging that a user might not know?
At this point, I think all networks are untrusted. My own network is
only very marginally more trusted. The distinction between work and
home networks - meaningless. I do a lot of consulting and some of
those networks are heavily filtered with firewalls, and other work
environments are probably more infected inside the organization than
the internet itself. So "work" to me is like a sewage system, I just
have no idea how much it's being used or flushed.
I very,
very much want to have a restrictive package filter running at all
times when I'm on a foreign network, and allow a more open firewall on
my own. I know how to configure that, but that's because *I* took a
deep dive into the documentation. If I had the option of making this
choice when connnecting to the network for the first time, I'd
absolutely understand it and know exactly what I wanted.
It's a bit off topic, but...
Originally with the firewalld feature change, we were supposed to get
a GUI configuration tool, in fact the GUI tool was considered the
primary configuration tool, not CLI. But Workstation WG canned that
idea because they hated the UI, and said something else was needed
instead, but nothing has appeared. So I think that needs to be
re-evaluated as a default.
macOS has a firewall, it's off by default. But they also sandbox
pretty much everything these days. When enabling the firewall, it gets
pretty restrictive, and is made less restrictive by adding
applications to it. And it dynamically figures out what resources that
app wants and basically permits it. It's a brain dead simple UI.
--
Chris Murphy