F21 System Wide Change: Workstation: Disable firewall

Thomas Woerner twoerner at redhat.com
Tue Apr 15 15:23:27 UTC 2014 

On 04/15/2014 04:28 PM, Christian Schaller wrote:
>
> ----- Original Message -----
>> From: "Reindl Harald" <h.reindl at thelounge.net>
>> To: devel at lists.fedoraproject.org
>> Sent: Tuesday, April 15, 2014 11:40:20 AM
>> Subject: Re: F21 System Wide Change: Workstation: Disable firewall
>>
>>
>> Am 15.04.2014 11:32, schrieb drago01:
>>> On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald <h.reindl at thelounge.net>
>>> wrote:
>
>> allow any random application to open a unprivlieged
>> port which is reachable from outside is dangerous
>>
> We already allow that and have for a long while. Any application bothering to support the firewalld dbus interface can open any port
> they wish to.
>
Are you running your desktop as root or all your applications are 
authenticated? - I hope not.

Only authenticated applications and services can modify the firewall.

> There was a long thread about this on the desktop mailing list, and I was not in the 'disable the firewall' camp in that discussion,
> but nobody in that thread or here have articulated how the firewall exactly enhance security in the situation where we at the
> same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works.
>
You can simply use different zones for the different connections you are 
using. Most likely you do not want to enable DLNA and Chromecast in a 
public internet cafe, but at home. So simple marking your home Wifi 
using the trusted zone is the trick to allow everything within this Wifi 
only. It is also possible to change the zone that is used for a connection.

You can bind connections or interfaces to zones in ifcfg files and in 
NetworkManager - probably not in the gnome 3 UI, but in all other UI 
versions ...

> The thread discussing this ended up with mostly being a discussion if the firewall would be a useful way to help users from accidentally
> oversharing on a public network. Which is important and something we want to work on, but a lot less so than security issues.
>
> Christian
>

Thomas

More information about the devel mailing list