Removing firewall-config from the default install of Fedora Workstation

Christoph Wickert christoph.wickert at gmail.com
Fri Aug 29 15:18:45 UTC 2014 

Am Donnerstag, den 21.08.2014, 15:56 -0400 schrieb Owen Taylor:
> 
> Having something in the default install to me means two things: first,
> we think that the activity it enables is something that a large
> percentage of users will want to do. 

Are you sure about that? We include a settings panel to change the
language, even though hardly anybody will do it. Most people will just
set the language during install and stick to if for the rest of the
time.

> Second we want to actively
> encourage the user to stumble on the application, start it up, find what
> it does.

I think this is true for firewall-config. firewalld and it's tools are
pretty new and Fedora is probably the only installation to ship it, or
at least to have it in it's default install. If something is unique to
Fedora and was engineered by Fedora people, we certainly want users to
stumble upon it.

> If you start firewall-config I don't think it meets the second objective
> - you get prompted for authentication before it even loads, and you are
> immediately confronted with a pretty complex UI that depends on
> understanding concepts (zones, runtime vs. static config, trusted vs.
> untrusted services, etc.) that most technical users probably won't
> understand without some study.

I guess I'm too technical then. ;)

> But if we need firewall-config for the first objective - if a large
> fraction of users will need to use it, then the right response to the
> complexity is to try and make it friendly for non-firewall-experts,
> rather than removing it from the default install.

I partly agree. While I agree it's better to improve than to remove
something, I believe that some things cannot and should be simplified.
Security is a complex issue and if we just simplify it, people will stop
thinking about it and be 

I recently had a very similar discussion on a cryptoparty. A teacher
argued that people will never use encryption because GPG is too complex.
The guy from our LUG responded that the t

>  The *idea* here is
> that that's not the case as of Fedora Workstation 21 - the average
> developer won't need to configure their firewall - e.g., when developing
> a web app, a developer will almost always be running on a high port.

I am working on various web apps and use KVM all the time. Setting up
port redirects to well-known ports is a standard use case. With
firewall-config it's dead-simple, but with firewall-cmd it requires some
reading.

> Not-in-the-default install is not a penalty box - it's rather a
> consideration of how we want users to find and interact with some piece
> of software.

I can subscripe to that. But for me, the piece of software is iptables
and firewalld, so the question becomes: Do we want workstation users to
interact with it through firewall-cmd or firewall-config. I think we
want the latter, that's why I object the removal of firewall-config.

Best regards,
Christoph

More information about the desktop mailing list