On Tue, 2010-05-04 at 23:23 +0200, Lennart Poettering wrote:
On Tue, 04.05.10 17:04, William Jon McCann
> So I know we've had long threads about this on fedora-devel but it
> isn't clear to me anything came out of them. Maybe we can be more
> Does our current firewall policy for the desktop install make sense?
> Does a firewall add any value at all?
> Should we have a bidirectional firewall?
> Other thoughts? I'd be interested to know if we at least have rough
> agreement between people who have written or maintain network
> listening services like David, Lennart, Colin, and Owen.
There was a private discussion about that by email by a few folks,
initiated by Bastien IIRC, a few weeks ago. It died after a while.
However, I think some of the folks involved agree with me that for the
long run we should have a firewall that focuses on "profiles" instead of
activating seperate services individually, which has been suggested
quite often and is particularly pushed by some baseos people.
In more detail:
I want a minimal system where I can activate one of the predefined
firewall profiles "Internet Cafe", "Corporate Network" and
Network" (or similarly named), plus any others defined by the admin, and
which can be attached to the various interfaces and are activated for
them when they go up, and only for them for each iface.
Bastien suggested the various apps should be able to show hints like
"You need to enable service 'mDNS/DNS-SD' to use this service, please
click here to enable it" in the UI for the various programs, when they
are blocked by the fw. I am more arguing for a UI that would show "Your
current firewall 'Internet Cafe' does not allow service 'mDNS/DNS-SD' to
work. Please change to profile 'Corporate Network' or 'Trusted Network'
if you want to use this service and you are in a suitable network."
Huh. That's not quite what I said. I said that:
- you need to give feedback to the user
- network profiles were probably part of the solution, but cannot be the
If I have to get somebody to launch system-config-firewall to make video
sharing work, then I've already lost.
I think Windows has a similar profiles system now, too.
And the Windows firewall user experience is laughable.
We need to do better than that...