Firewall blocking desktop features
twoerner at redhat.com
Wed Sep 11 16:44:46 UTC 2013
On 09/10/2013 10:07 PM, Peter Oliver wrote:
> Empathy's "People Nearby" feature doesn't work out of the box because
> the required ports are blocked by default by the firewall
> (https://bugzilla.redhat.com/show_bug.cgi?id=844308). It's a similar
> story with Gnome's "Media Sharing" feature, and I'm sure there are lots
> of other examples.
With NM connection editor you can bind zones to the connections. For
wireless connections you have a connection per ssid. This makes it
possible to bind a zone (for example 'home') to your home connection. If
you are trusting your home environment completely, you can also use
'trusted'. Then your home network will have full access to your machine.
If you are using your machine in an other environment, then it will use
another connection and therefore will be bound to another zone. The
initial default zone is 'public'.
If you are not in a semi or full trusted environment, then there is no
simple solution. See further down...
> Now, if you're running a server and you install, say, Apache, I think
> you expect to have to go and poke at the firewall config, but these seem
> to be very desktop-focused features, and the UI provides no clue about
> the extra steps required.
I am not sure if I am getting this right. What is 'these'? Are you are
talking about the desktop UI or firewall-config UI here?
> The FirewallD wiki page talks about a proposed "user interaction mode"
> (https://fedoraproject.org/wiki/FirewallD#User_interaction_mode), which
> sounds like it's intended to address these kinds of issues. I guess
> that's not going to be with us soon?
The "user interaction mode" is not planned for the short term anymore
and it needs to be verified if it could be used with these desktop
features at all. The time to ask the user and to get an ok/deny might be
too long to establish a connection with the already received packets. A
reconnect might be essential to make it work.
> Meanwhile, are there any quick ways we could simply this for users?
> It's not much, but should application packages ship
> /usr/lib/firewalld/services/service.xml files so that users can open the
> correct ports by ticking a box in firewall-config rather than having to
> go hunting around to find the ranges?
We already have a long list of service configuration files provided by
firewalld, most of them are service related. But there is sure room for
To be able to add a service configuration file, the information about
ports etc. is needed. Dynamic ports are not good for this. Lots of these
desktop features are using some dynamic port(s), which makes the
creation of service configuration files hard or impossible.
Therefore there are (mostly) no service configuration files for these
desktop features. At first there is no documentation about the used
ports, addresses and so on and further more there seems to be no
interest in firewalls at all.
More information about the devel