Desktop and FirewallD

Bastien Nocera bnocera at
Fri Jun 6 16:20:49 UTC 2014

----- Original Message -----
> Hi everyone,
> Plans for Fedora 21
> * The Desktop team will look into creating a UI that asks you when you
> connect to a new wireless network if you consider it trusted or not. Exact
> wording of the question and look of dialog etc. will need to be worked out.
> This setting will be remembered for that network. If user say trusted the
> zone used will be 'trusted', if not trusted then current default will be
> used. Should be simple enough to not confuse users, yet improve their
> security on public networks.
> * Other connection types will keep the current default which sucks a bit for
> your home ethernet, but we don't currently have a good way to identify your
> ethernet connection and popping up a dialog every time you connect is
> probably a worse user experience than having to google a bit.
> Matthias started a prototype of this already here:

The plan has changed slightly after discussions with designers (Allan in particular)
and firewalld hackers (Miloslav Trmac and Thomas Woerner).

There were two main uses to the firewall:
- Security, this is to avoid particular services from ever being seen on the network
  This also accounts for packaging errors which mean that unwanted services are
  enabled when the package is installed, and listening on the network when they shouldn't
  be, as noticed recently:
- Privacy, avoid unwanted data about the user, or their setup from being broadcast on the
  local network. That means my user name, my real name (!), the version of my OS, etc.

I reviewed the default network services available on a stock Fedora Workstation
installation[1], and we came up with the following plan.

1) Work with QE to setup a way to avoid security regressions, as the rpcbind one,
   mentioned above. This will mean adding tests at the distro level. Hopefully Tim Flink,
   CC:ed, can help me with creating those tests
2) Create a new firewalld zone for use by Workstation. This would block all system
   services (port < 1024) except a few whitelisted ones (see Google spreadsheet below),
   so as to mitigate #1
3) Add Network awareness to GNOME's controls of system-wide sharing. When disconnecting
   from the network, or connecting to a new unknown network, we would ensure that all
   sharing (we can control) is disabled. Each of the possible shared items would be
   controlled independently for each network. This means that your music would
   automatically be shared when at home, but disabled when at the coffee shop.
   We'll also have a way for users to disable sharing that was previously enabled, without
   that network being the current one. Subject to changes, here are some mockups:
   In the future this could be further controlled through application sandboxing.

Some things that are currently outside of scope, and will need to be documented:
- NFS client or server support. NFS 101 tells you to check the firewall config,
  you'll still need to do that.
- Support for network printers enumeration when mDNS is disallowed on the network
  (this opens up UDP port 631 on the local machine)

> Long term plans
> * Work with NetworkManager team to see if we can come up with a way to
> identify ethernet connections in a similar manner

This would still be useful:



More information about the desktop mailing list