That's all it takes: a small green/red switch, saying
trusted/untrusted, and mapped to the proper firewalld zones. You don't
need firewall-config, you don't even need to know there's such a thing
as a "firewall" behind the scenes. You only know that home is trusted,
other places are untrusted.
IƱaki
I'm just a concerned user, but have a couple of points (which are possibly slightly
contradictory).
- I run a laptop FC31 base install with Sway WM) which travels with me for work. I
haven't installed any application which opens a port bound to any other interface than
localhost, so I trust there isn't an open port on this machine, therefore rendering a
firewall moot. I use WireGuard on any foreign network I connect to.
- However, if I did install an application which had server functionality or required an
open port, as an advanced user (by definition I think if/when installing an app like
that) I would assume the knowledge that I'd need to open a firewall was implicit.
- At home, my desktop runs FC30 and my server runs Debian 9 (for historical reasons). If I
run services from those machines, a port needs to be opened, and I would not dream of
running an always-connected machine on a static IP with open ports without a firewall.
The point I'm making is that a road-warrior's laptop has different requirements
than a server or desktop/workstation, and that while there are differing security
requirements inherent in different use-cases security by default would by my personal
preference (ie no open ports, or no apps opening ports in a default install).
If an app is installed that requires an open port, this would be better done during the
install (preferably with feedback) or the firewall should be smart enough to identify a
blocked access and alert the user. The difficulty is how to do this with across disparate
WMs/DEs or from the command line, but I think this is the best approach to take.
Regards,
Ryan