Removing firewall-config from the default install of Fedora Workstation

Bastien Nocera bnocera at redhat.com
Mon Aug 25 07:39:26 UTC 2014 

Hey Thomas,

----- Original Message -----
> Hello,
> 
> On 08/21/2014 09:03 PM, Elad Alfassa wrote:
> > Hello.
> >
> > I propose we remove firewall-config (the graphical firewall
> > configuration utility) from the default install of Fedora Workstation.
> > Rationale:
> >
> > * The default Workstation zone file allows incoming connection to
> > non-root ports. This means most of the common usecases will "just work"
> > out of the box. Thus, most users will not need to touch their Firewall
> > settings.
> >
> 
> thank you for reaching out here on the firewall-devel mailing list. I
> really appreciate that you keep us in the loop regarding this request
> for Fedora Workstation.
> 
> I am a bit surprised by this request, because from what I recall about
> Fedora Workstation, the idea was to focus on server and client
> application developers as a target audience, right?
> 
> At least according to http://fedoraproject.org/wiki/Workstation:
> 
> "The system will primarily be aimed at providing a platform for
> development of server side and client applications that is attractive to
> a range of developers - from hobbyists and students to developers
> working in corporate environments."
> 
> So that means that server application developers without the firewall
> configuration tool would have to either use the command line or even
> completely disable the firewall in order to develop networked services
> that use privileged ports, right?
> 
> And that would in my humble opinion be a really bad user experience for
> server application developers trying to use Fedora Workstation.

I think that using the command-line to poke open a hole in the firewall is
going to be a better experience than running firewall-config.

There's no explanations of the zone concept, and the interface is basically
a graphical interface for firewalld, not a firewall configuration tool.

> > * People who do need it will be able to install it from GNOME Software
> > quite easily. Just search for "Firewall". There will be no confusion as
> > this is the only firewall configuration tool shown in GNOME Software.
> >
> 
> Searching for a firewall configuration tool and the need to install it
> over the network would not be a good user experience in my opinion.
> Additionally it would not be possible for the user to configure the
> firewall with a graphical configuration tool according to the security
> requirements of the environment before going on line.

Citation needed. In any case, unless the person using Fedora Workstation is
the person putting those restrictions in place, I don't think the user would
have access to the firewall configuration (or that would defeat the point, no?)

> > * In general, we should avoid having app launchers for things that are
> > configuration utilities in the default install.
> >
> To have a system without being able to configure it before actively
> searching for configuration tools is hopefully not the goal.

They would have a system where a configuration tool is not necessary in most cases,
as, as Elad mentioned, most frameworks will take care of using high ports when
running as a normal user.

In the future, I'd like to see things like Apache and MySQL running on high ports in
the session, rather than having to configure the firewall.

> > Unless there's major objection to this change in the following few days,
> > I'll remove it from the gnome-desktop group in comps.
> >
> 
> I would personally strongly recommend to keep the firewall configuration
> utility in Fedora Workstation to allow server application developers and
> also others to have an easy way to configure their firewall settings
> according to their needs.

I don't think that developers need it, not any more than they'd need some of
the other tools we ship as add-ons rather than in the Workstation image.

> Would you mind if we continue this discussion on fedora-devel as I
> strongly believe that the broader community should give more input to
> this decision.

The whole point of the separate versions of Fedora is for us to avoid deferring to
Server, Cloud or fedora-devel when making decisions about Workstation.

Cheers

More information about the desktop mailing list