technical spec for the workstation up for review

[Adam Williamson]

On Wed, 2014-02-19 at 11:42 -0500, Christian Schaller wrote:
> Hi,
> I ended up calling the firewalld maintainer to understand the state of things
> and there is this concept in firewalld called zones that we should be able to
> use to create a better user experience, yet at the same time keep the firewall
> working when people connect with their laptop at an internet cafe for instance.

Just for anyone unfamiliar with it, this works quite a lot like the
similar Windows feature. You can set a given NetworkManager connection
as being in one of various zones - default set includes the 'special'
zones block, drop, dmz and trusted (which do probably approximately what
you'd expect from the names) and then external, internal, home, public
and work. The system's very flexible and generic, you can define new
zones and define the set of services that's blocked and not blocked in
each zone.

In Fedora at present, 'public' is the default zone for all connections
and there's no 'pop up' or anything when you establish a new connection
asking you to select a zone, but you can set the zone for a connection
from GNOME's network configuration tool or nm-connection-editor.
firewalld's config tool lets you set a zone for an *interface*, but this
is overridden if a connection on the interface has a zone specified,
IIRC, so for a typical Fedora config it's a dead letter.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net