F21 System Wide Change: Workstation: Disable firewall

Christian Schaller cschalle at redhat.com
Tue Apr 15 17:03:27 UTC 2014





----- Original Message -----
> From: "Simo Sorce" <simo at redhat.com>
> To: "Development discussions related to Fedora" <devel at lists.fedoraproject.org>
> Sent: Tuesday, April 15, 2014 4:37:38 PM
> Subject: Re: F21 System Wide Change: Workstation: Disable firewall
> 
> On Tue, 2014-04-15 at 10:28 -0400, Christian Schaller wrote:
> > ----- Original Message -----
> > > From: "Reindl Harald" <h.reindl at thelounge.net>
> > > To: devel at lists.fedoraproject.org
> > > Sent: Tuesday, April 15, 2014 11:40:20 AM
> > > Subject: Re: F21 System Wide Change: Workstation: Disable firewall
> > > 
> > > 
> > > Am 15.04.2014 11:32, schrieb drago01:
> > > > On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald
> > > > <h.reindl at thelounge.net>
> > > > wrote:
> > 
> > > allow any random application to open a unprivlieged
> > > port which is reachable from outside is dangerous
> > > 
> > We already allow that and have for a long while. Any application bothering
> > to support the firewalld dbus interface can open any port
> > they wish to.
> > 
> > There was a long thread about this on the desktop mailing list, and I was
> > not in the 'disable the firewall' camp in that discussion,
> > but nobody in that thread or here have articulated how the firewall exactly
> > enhance security in the situation where we at the
> > same time need to allow each user to have any port they desire opened for
> > traffic to make sure things like DLNA or Chromecast works.
> > 
> > The thread discussing this ended up with mostly being a discussion if the
> > firewall would be a useful way to help users from accidentally
> > oversharing on a public network. Which is important and something we want
> > to work on, but a lot less so than security issues.
> 
> There is plenty of prior art here.

> What you need is clearly different "zones" that the user can configure
> and associate to networks, with the default being that you trust nothing
> and everything is firewalled when you roam a new network.
> 
> firewalld should grow a NetworkManager plugin so that configuration can
> be changed on the fly based on which network NM tells firewalld a
> specific interface is connected to.
> 
> Applications need to be prevented from being able to arbitrarily open
> ports, that should be allowed only for a "trusted" zone. User
> intervention should be needed to mark a zone as trusted, in all other
> zones the user will have to select explicitly what applications are
> allowed.
> 
> So the big work here is in the UI you need to build to present these
> configurations to the user.
> 
> Until then you can present a very simplified UI that just has a big
> button/switch that turns everything from "untrusted" to "trusted", with
> the default being "untrusted" of course.

All of this are points I actually made myself in the corresponding thread
on the desktop list. I suggest you read that to see the prior discussion on 
the subject here. 

The thread starts here:
https://lists.fedoraproject.org/pipermail/desktop/2014-February/009142.html

Christian


More information about the devel mailing list