On Monday, August 26, 2019 7:25:27 AM MST Iñaki Ucar wrote:
On Mon, 26 Aug 2019 at 15:25, Robert Marcano
<robert(a)marcanoonline.com>
wrote:
>
>
> On 8/26/19 9:07 AM, mcatanzaro(a)gnome.org wrote:
>
> >
> >
> > Well the thing is, blocknig ports tends to break applications that want
> > to use those ports. We're not going to do that, period. It also
doesn't
> > really accomplish anything: either your app or service needs network
> > access and you have whitelisted it (in which case the firewall provides
> > no security), or it needs network access and you have not whitelisted
> > it
> > (in which case your firewall breaks your app/service). In no case does
> > it increase your security without breaking your app, right? Unless you
> > have malware installed (in which case, you have bigger problems than
> > the
> > firewall). Or unless you have a vulnerable network service installed
> > that you don't want (in which case, uninstall it).
>
>
>
> This is a reasonable point of view, until you notice Linux desktops
> evironments don't provide applications with a method to detect if they
> are running on a private network or not (See Windows Home, Office,
> Internet network settings).
That's a very good point. When Windows connects to a new network, it
asks whether it's a home connection (and then you want to share
resources in the network) or it's a public connection (and everything
should stay private). And I think that, if the user simply ignores the
notification, the default is to consider it a public network (not 100%
sure though). That's a good policy I think, and it would be great if
NetworkManager could do that.
I understand mcatanzaro's point of view, but it's quite narrow,
because laptops not only connect to home networks to share resources,
but also to many insecure public WiFis. I don't think we should rely
on chasing upstream developers to behave in a *possibly* insecure
environment. The system should abstract this for them and set proper
firewall rules.
Iñaki
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines List
Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Keep in mind that even Windows doesn't address the use case where you set it
to Home or Business, or whatever the private setting is, and then plug in a
connection to a public network. It thinks it's still the same.
--
John M. Harris, Jr. <johnmh(a)splentity.com>
Splentity
https://splentity.com/