Removing firewall-config from the default install of Fedora Workstation

Thu Aug 28 08:14:59 UTC 2014

I vote in favour of removing it from the default install, considering our default 
configuration should now mean that most people will not need to configure their firewall anymore
 this has become a tool more suited for separate install by those who actually need it.

Christian

----- Original Message -----
From: "Josh Boyer" <jwboyer at fedoraproject.org>
To: "Discussions about development for the Fedora desktop" <desktop at lists.fedoraproject.org>
Cc: "Firewalld development list" <firewalld-devel at lists.fedorahosted.org>
Sent: Wednesday, August 27, 2014 9:58:33 PM
Subject: Re: Removing firewall-config from the default install of Fedora	Workstation

On Mon, Aug 25, 2014 at 3:39 AM, Bastien Nocera <bnocera at redhat.com> wrote:
> Hey Thomas,
>
> ----- Original Message -----
>> Hello,
>>
>> On 08/21/2014 09:03 PM, Elad Alfassa wrote:
>> > Hello.
>> >
>> > I propose we remove firewall-config (the graphical firewall
>> > configuration utility) from the default install of Fedora Workstation.
>> > Rationale:
>> >
>> > * The default Workstation zone file allows incoming connection to
>> > non-root ports. This means most of the common usecases will "just work"
>> > out of the box. Thus, most users will not need to touch their Firewall
>> > settings.
>> >
>>
>> thank you for reaching out here on the firewall-devel mailing list. I
>> really appreciate that you keep us in the loop regarding this request
>> for Fedora Workstation.
>>
>> I am a bit surprised by this request, because from what I recall about
>> Fedora Workstation, the idea was to focus on server and client
>> application developers as a target audience, right?
>>
>> At least according to http://fedoraproject.org/wiki/Workstation:
>>
>> "The system will primarily be aimed at providing a platform for
>> development of server side and client applications that is attractive to
>> a range of developers - from hobbyists and students to developers
>> working in corporate environments."
>>
>> So that means that server application developers without the firewall
>> configuration tool would have to either use the command line or even
>> completely disable the firewall in order to develop networked services
>> that use privileged ports, right?
>>
>> And that would in my humble opinion be a really bad user experience for
>> server application developers trying to use Fedora Workstation.
>
> I think that using the command-line to poke open a hole in the firewall is
> going to be a better experience than running firewall-config.
>
> There's no explanations of the zone concept, and the interface is basically
> a graphical interface for firewalld, not a firewall configuration tool.
>
>> > * People who do need it will be able to install it from GNOME Software
>> > quite easily. Just search for "Firewall". There will be no confusion as
>> > this is the only firewall configuration tool shown in GNOME Software.
>> >
>>
>> Searching for a firewall configuration tool and the need to install it
>> over the network would not be a good user experience in my opinion.
>> Additionally it would not be possible for the user to configure the
>> firewall with a graphical configuration tool according to the security
>> requirements of the environment before going on line.
>
> Citation needed. In any case, unless the person using Fedora Workstation is
> the person putting those restrictions in place, I don't think the user would
> have access to the firewall configuration (or that would defeat the point, no?)
>
>> > * In general, we should avoid having app launchers for things that are
>> > configuration utilities in the default install.
>> >
>> To have a system without being able to configure it before actively
>> searching for configuration tools is hopefully not the goal.
>
> They would have a system where a configuration tool is not necessary in most cases,
> as, as Elad mentioned, most frameworks will take care of using high ports when
> running as a normal user.
>
> In the future, I'd like to see things like Apache and MySQL running on high ports in
> the session, rather than having to configure the firewall.
>
>> > Unless there's major objection to this change in the following few days,
>> > I'll remove it from the gnome-desktop group in comps.
>> >
>>
>> I would personally strongly recommend to keep the firewall configuration
>> utility in Fedora Workstation to allow server application developers and
>> also others to have an easy way to configure their firewall settings
>> according to their needs.
>
> I don't think that developers need it, not any more than they'd need some of
> the other tools we ship as add-ons rather than in the Workstation image.
>
>> Would you mind if we continue this discussion on fedora-devel as I
>> strongly believe that the broader community should give more input to
>> this decision.
>
> The whole point of the separate versions of Fedora is for us to avoid deferring to
> Server, Cloud or fedora-devel when making decisions about Workstation.

OK, so with the information that Bastien and others have provided, we
need to make a decision quickly on this.

Workstation WG members, the proposal as it stands is to remove the
firewall-config tool from the default install.  Could you please
review and vote on this as soon as possible?

josh
-- 
desktop mailing list
desktop at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/desktop