Firewall blocking desktop features

Thomas Woerner twoerner at redhat.com
Wed Sep 11 16:44:46 UTC 2013 

On 09/10/2013 10:07 PM, Peter Oliver wrote:
> Empathy's "People Nearby" feature doesn't work out of the box because
> the required ports are blocked by default by the firewall
> (https://bugzilla.redhat.com/show_bug.cgi?id=844308).  It's a similar
> story with Gnome's "Media Sharing" feature, and I'm sure there are lots
> of other examples.
>
With NM connection editor you can bind zones to the connections. For 
wireless connections you have a connection per ssid. This makes it 
possible to bind a zone (for example 'home') to your home connection. If 
you are trusting your home environment completely, you can also use 
'trusted'. Then your home network will have full access to your machine. 
If you are using your machine in an other environment, then it will use 
another connection and therefore will be bound to another zone. The 
initial default zone is 'public'.

If you are not in a semi or full trusted environment, then there is no 
simple solution. See further down...

> Now, if you're running a server and you install, say, Apache, I think
> you expect to have to go and poke at the firewall config, but these seem
> to be very desktop-focused features, and the UI provides no clue about
> the extra steps required.
>
I am not sure if I am getting this right. What is 'these'? Are you are 
talking about the desktop UI or firewall-config UI here?

> The FirewallD wiki page talks about a proposed "user interaction mode"
> (https://fedoraproject.org/wiki/FirewallD#User_interaction_mode), which
> sounds like it's intended to address these kinds of issues.  I guess
> that's not going to be with us soon?
>
The "user interaction mode" is not planned for the short term anymore 
and it needs to be verified if it could be used with these desktop 
features at all. The time to ask the user and to get an ok/deny might be 
too long to establish a connection with the already received packets. A 
reconnect might be essential to make it work.

> Meanwhile, are there any quick ways we could simply this for users?
> It's not much, but should application packages ship
> /usr/lib/firewalld/services/service.xml files so that users can open the
> correct ports by ticking a box in firewall-config rather than having to
> go hunting around to find the ranges?
>
We already have a long list of service configuration files provided by 
firewalld, most of them are service related. But there is sure room for 
improvement.

To be able to add a service configuration file, the information about 
ports etc. is needed. Dynamic ports are not good for this. Lots of these 
desktop features are using some dynamic port(s), which makes the 
creation of service configuration files hard or impossible.

Therefore there are (mostly) no service configuration files for these 
desktop features. At first there is no documentation about the used 
ports, addresses and so on and further more there seems to be no 
interest in firewalls at all.

More information about the devel mailing list