technical spec for the workstation up for review

[Christian Schaller]

----- Original Message -----
> From: "Bastien Nocera" <bnocera at redhat.com>
> To: "Discussions about development for the Fedora desktop" <desktop at lists.fedoraproject.org>
> Sent: Wednesday, February 19, 2014 6:40:37 PM
> Subject: Re: technical spec for the workstation up for review
> 
> 
> 
> ----- Original Message -----
> > Hi,
> > I ended up calling the firewalld maintainer to understand the state of
> > things
> > and there is this concept in firewalld called zones that we should be able
> > to
> > use to create a better user experience, yet at the same time keep the
> > firewall
> > working when people connect with their laptop at an internet cafe for
> > instance.
> 
> Right. But firewalld can't a Fedora-only solution, otherwise no application
> developer
> will want to integrate with it.

We don't need the application developer to intergrate with it. All we do is that
in the GNOME Shell/NetworkManager we ask a question the first time you connect to
a new network, something like 'Is this a trusted network?'. If the answer is yes 
we put firewalld in trusted network mode for that network, and everytime the user connects
to that network afterwards we default to that trusted setting without asking again.
In this mode the firewall will let basically anything through.

For untrusted networks like conference wifi or internet cafes people choose 'not trusted'
and we use the current firewalld default.

These settings can then be toggled in the connection manager if you at any point want
a specific network to become trusted/untrusted.

This model is very simply (just 2 modes) and it gives our users some extra security when
connecting their laptops in public places, including protecting them from themselves in 
terms of accidentally sharing their private photos and videos on a public network.
It should also be quite unobtrusive.


Christian