Removing firewall-config from the default install of Fedora Workstation

Fri Aug 22 14:12:43 UTC 2014

Hi Thomas,

On Fri, 2014-08-22 at 13:50 +0200, Thomas Woerner wrote:
> So that means that server application developers without the firewall 
> configuration tool would have to either use the command line or even 
> completely disable the firewall in order to develop networked
> services 
> that use privileged ports, right?

I think developing a sever application that uses a port less than 1024
is a pretty nonstandard use case. Our target audience is general
developers, not Linux system developers.

> Searching for a firewall configuration tool and the need to install
> it 
> over the network would not be a good user experience in my opinion. 
> Additionally it would not be possible for the user to configure the 
> firewall with a graphical configuration tool according to the
> security 
> requirements of the environment before going on line.

That's a good point. It won't be important for the vast majority of our
users, but for some this would be annoying at least, and possibly
seriously problematic.

> I would personally strongly recommend to keep the firewall
> configuration 
> utility in Fedora Workstation to allow server application developers
> and 
> also others to have an easy way to configure their firewall settings 
> according to their needs.

I don't think firewall-config is even remotely close to an easy way to
configure firewall settings. It's obviously a tool intended for advanced
users only, which is why we suggest removing it -- we're trying really
hard to get rid of anything that requires technical expertise to use.
But it's possible that we may want to make an exception for
firewall-config.

I'm not sure how to make firewall configuration easy, and I suspect it
may not be possible, but you'd have to start with removing all mention
of ports ("my computer only has six ports!") and services ("why is http
not checked, that must by why my Internet is broken") ("AMANDA! What is
this amanda-client you're running on my network!"). I guess an easy
firewall configuration tool would be a list of applications with an on
or off switch to configure whether that application should be allowed to
access the network. That's the sort of firewall configuration I would be
more enthusiastic to install by default, but that would not be useful at
all for developers.

> Would you mind if we continue this discussion on fedora-devel as I 
> strongly believe that the broader community should give more input to 
> this decision.

I'd also prefer to keep the discussion on fedora-desktop@ and
firewalld-devel@ since this fedora-desktop@ is the list we use to decide
Workstation-specific policy, such as what applications to install by
default, which will have no impact on the other Fedora products. But
let's also be frank: it would be a lot harder to remove things if we
discussed them on devel at . :)

Anyway, my opinion is that I'd rather firewall-config go because it's
very complicated, but it's not a big deal if it stays, since I think
we've done an otherwise good job of removing complex applications.

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/desktop/attachments/20140822/133eaded/attachment.sig>