On Wed, Aug 28, 2019 at 11:23 PM John Harris <johnmh(a)splentity.com> wrote:
On Wednesday, August 28, 2019 8:13:59 PM MST Christopher wrote:
> The default firewall config affects every user of that edition, even
> if they never use GNOME (or even use graphical boot). So, I don't know
> if this would be adequate.
This only affects GNOME users. Workstation = GNOME Spin.
No, the default firewalld zone affects all Fedora Workstation users,
because firewalld runs outside of GNOME. Just because a user uses the
Workstation Edition doesn't mean they're running GNOME... you can
still run Cinnamon, XFCE, MATE, KDE, (or no graphical environment at
all) using the Workstation Edition. It's just that GNOME is the
default. So, this isn't a GNOME-specific issue. This is a Workstation
Edition issue with /etc/firewalld/firewalld.conf's DefaultZone option.
Unless I'm mistaken, and that installer is a generic Anaconda installer, where
users can select the end product they want installed, in which case I'd have
to ask why in the world that config would get pulled into the resulting
system..
The configuration is being set in the resulting system by the
firewalld.spec itself when the firewalld RPM is installed:
See
https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/firewalld.s...
and
https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/firewalld.s...
and
https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/FedoraWorks...
For comparison, the FedoraServer.xml is much more secure:
https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/FedoraServe...
Funny, the FedoraServer.xml file still has a description "For use in
public areas" while FedoraWorkstation.xml does not... as if servers
are more likely than workstations to travel to "public areas" often.
:) I know it's because the server zone was derived from the public
zone, which has that description, but it is still amusing.
FWIW, I actually prefer the public zone on my Workstation installs...
and... it's actually the default upstream. Honestly, I'd prefer we
just stick to that across all Editions/Spins.