Firewall

Bastien Nocera bnocera at redhat.com
Tue May 4 22:54:06 UTC 2010 

On Tue, 2010-05-04 at 23:23 +0200, Lennart Poettering wrote:
> On Tue, 04.05.10 17:04, William Jon McCann (william.jon.mccann at gmail.com) wrote:
> 
> > Hey,
> > 
> > So I know we've had long threads about this on fedora-devel but it
> > isn't clear to me anything came out of them.  Maybe we can be more
> > specific.
> > 
> > Does our current firewall policy for the desktop install make sense?
> > 
> > Does a firewall add any value at all?
> > 
> > Should we have a bidirectional firewall?
> > 
> > Other thoughts?  I'd be interested to know if we at least have rough
> > agreement between people who have written or maintain network
> > listening services like David, Lennart, Colin, and Owen.
> 
> There was a private discussion about that by email by a few folks,
> initiated by Bastien IIRC, a few weeks ago. It died after a while.
> 
> However, I think some of the folks involved agree with me that for the
> long run we should have a firewall that focuses on "profiles" instead of
> activating seperate services individually, which has been suggested
> quite often and is particularly pushed by some baseos people.
> 
> In more detail:
> 
> I want a minimal system where I can activate one of the predefined
> firewall profiles "Internet Cafe", "Corporate Network" and "Trusted/Home
> Network" (or similarly named), plus any others defined by the admin, and
> which can be attached to the various interfaces and are activated for
> them when they go up, and only for them for each iface.
> 
> Bastien suggested the various apps should be able to show hints like
> "You need to enable service 'mDNS/DNS-SD' to use this service, please
> click here to enable it" in the UI for the various programs, when they
> are blocked by the fw. I am more arguing for a UI that would show "Your
> current firewall 'Internet Cafe' does not allow service 'mDNS/DNS-SD' to
> work. Please change to profile 'Corporate Network' or 'Trusted Network'
> if you want to use this service and you are in a suitable network."

Huh. That's not quite what I said. I said that:
- you need to give feedback to the user
- network profiles were probably part of the solution, but cannot be the
only solution.

If I have to get somebody to launch system-config-firewall to make video
sharing work, then I've already lost.

<snip>
> I think Windows has a similar profiles system now, too.

And the Windows firewall user experience is laughable.

We need to do better than that...

More information about the desktop mailing list