F21 System Wide Change: Workstation: Disable firewall

Thomas Woerner twoerner at redhat.com
Wed Apr 16 10:31:10 UTC 2014 

On 04/15/2014 10:49 PM, Matthias Clasen wrote:
> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote:
>
>>>
>>> What you need is clearly different "zones" that the user can configure
>>> and associate to networks, with the default being that you trust nothing
>>> and everything is firewalled when you roam a new network.
>>>
>> We have that already with zones in firewalld.
>
> Kindof. If I open the network panel and find the 'Firewall zone' combo,
> I am presented with a choice of:
> Default
> block
> dmz
> drop
> external
> home
> internal
> public
> trusted
> work
>
> This list is far too long, and none of it is translated or even properly
> capitalized. And there is no indication at all why one would choose any
> zone over any other, and what consequences it has.
>
> So, what you have currently is a raw bit of infrastructure that is
> directly exposed to the end user, without any design or integration.
>
There have been plans about a firewall layer in gnome. The gnome team 
decided not to support it and not to work on anything that is firewall 
or firewalld related. There have been several meetings about this.

Now complaining that it is not there and not integrated just makes me 
sad, especially as there was a tool in gnome 3, that has support for 
firewalld, but this support has been removed again.

>>
>> The limitations in gnome 3 are:
>> - Applets are not easily visible in the desktop.
>> - An applet is not always visible, even if the state in the applet is to
>> be visible.
>> - Sending out notifications is prohibiting the use of left and right
>> mouse button menus: While the notification is visible, a left and right
>> mouse button click on the applet only shows the notification.
>> - After closing an notification sent out by the applet, the applet is
>> made invisible in the tray with a still visible state in the applet. Not
>> even a hide and show will make it visible anymore.
>> - Left and right mouse button menus are loose in the desktop and are not
>> visibly connected to the applet, it is not visible any more after
>> clicking on it.
>
> GNOME doesn't have applets anymore, so complaining that your applet
> doesn't work great in GNOME is missing the point.
>
So what would your solution then be for such a workflow today when 
applets aren't supported anymore? And of course one that would work for 
other desktops, as maintaining N versions for N different desktops 
doesn't scale.

> I don't think we want a 'firewall' UI anyway; the firewall is not
> something most users can or should understand and make decisions of.
>
> What I envision is that we will notify the user when we connect to a new
> network, with a message along the lines of:
>
This has been planned before but has been refused. Coming up with this 
again is funny also.

> You have connected to an new network. If this is a public network, you
> may want to stop sharing your Music and disable Remote Logins.
> [Turn off sharing] [Continue sharing] [Sharing Preferences...]
>
> And we will remember this for when you later reconnect to the same
> network.
>
This is exactly what zones are for, but you do not have to alter 
applications or logins.

> When we have this infrastructure, we can use this information to also
> set the network zone to Home/Public - I don't think the long list of
> zones I showed above makes any sense. Either you are at home and
> comfortable sharing the network, or not.
>
If you're still interested to make this work I'm still willing to work 
on this together with you and the gnome team to make sure everyone will 
have the benefit of an out-of-box secure Fedora with an easy to use 
firewall with a proper UI.

> I've filed a bug for this:
> https://bugzilla.gnome.org/show_bug.cgi?id=727580
>
>
> Matthias
>

Thomas - firewalld maintainer

More information about the devel mailing list