F21 System Wide Change: Workstation: Disable firewall

Thomas Woerner twoerner at redhat.com
Wed Apr 16 10:44:14 UTC 2014 

On 04/16/2014 02:18 AM, Chuck Anderson wrote:
> On Tue, Apr 15, 2014 at 07:28:35PM -0400, Simo Sorce wrote:
>> On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote:
>>>
>>> You have connected to an new network. If this is a public network, you
>>> may want to stop sharing your Music and disable Remote Logins.
>>> [Turn off sharing] [Continue sharing] [Sharing Preferences...]
>>
>> So if you have 4 different services you gfet flooded with a ton of
>> questions ?
>>
>> Sounds like a bad idea.
>>
>>> And we will remember this for when you later reconnect to the same
>>> network.
>>
>> If you set a *zone* instead then you have to remember only one
>> association: network -> zone, and you know where to go to change that,
>> and to change in which zones an application is allowed to listen,
>> instead of having tens of one offs.
>>
>>> When we have this infrastructure, we can use this information to also
>>> set the network zone to Home/Public - I don't think the long list of
>>> zones I showed above makes any sense. Either you are at home and
>>> comfortable sharing the network, or not.
>>
>> A long list does not make sense by default, ideally the default is that
>> you have only 2 zones: trusted/untruuted (you can choose whatever
>> names), if the users wants more flexibility then they would create new
>> zones (like home, work, cafe, library, etc..) perhaps by cloning
>> existing ones and then tweak the list of applications allowed to serve
>> content in those zones.
>> It would be better if the association were per-application rather then
>> nameless ports.
>
> Additionally, some "zones" should be bound to a certain network scope.
> Today you could say "Home" or "Trusted" for your RFC1918-behind-NAT
> network at home, but tomorrow your ISP could enable IPv6 and all of a
> sudden your system connected to that subnet is exposed to the whole
> world... So you really need some concept of scope to attach to the
> zone so you can only allow connections from within that scope.  The
> hard part is how to define that scope.  I believe Windows defaults to
> "local subnet" when you choose Home.
>
For this we need a better integration into NetworkManager. Additionally 
we can not make this work easily with network services. firewalld does 
not take care about the network configuration.

A agree, it would be good to have support for this.

More information about the devel mailing list