F21 System Wide Change: Workstation: Disable firewall

poma pomidorabelisima at gmail.com
Wed Apr 16 13:40:14 UTC 2014 

On 16.04.2014 12:31, Thomas Woerner wrote:
> On 04/15/2014 10:49 PM, Matthias Clasen wrote:
>> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote:
>>
>>>>
>>>> What you need is clearly different "zones" that the user can configure
>>>> and associate to networks, with the default being that you trust nothing
>>>> and everything is firewalled when you roam a new network.
>>>>
>>> We have that already with zones in firewalld.
>>
>> Kindof. If I open the network panel and find the 'Firewall zone' combo,
>> I am presented with a choice of:
>> Default
>> block
>> dmz
>> drop
>> external
>> home
>> internal
>> public
>> trusted
>> work
>>
>> This list is far too long, and none of it is translated or even properly
>> capitalized. And there is no indication at all why one would choose any
>> zone over any other, and what consequences it has.
>>
>> So, what you have currently is a raw bit of infrastructure that is
>> directly exposed to the end user, without any design or integration.
>>
> There have been plans about a firewall layer in gnome. The gnome team 
> decided not to support it and not to work on anything that is firewall 
> or firewalld related. There have been several meetings about this.
> 
> Now complaining that it is not there and not integrated just makes me 
> sad, especially as there was a tool in gnome 3, that has support for 
> firewalld, but this support has been removed again.
> 
>>>
>>> The limitations in gnome 3 are:
>>> - Applets are not easily visible in the desktop.
>>> - An applet is not always visible, even if the state in the applet is to
>>> be visible.
>>> - Sending out notifications is prohibiting the use of left and right
>>> mouse button menus: While the notification is visible, a left and right
>>> mouse button click on the applet only shows the notification.
>>> - After closing an notification sent out by the applet, the applet is
>>> made invisible in the tray with a still visible state in the applet. Not
>>> even a hide and show will make it visible anymore.
>>> - Left and right mouse button menus are loose in the desktop and are not
>>> visibly connected to the applet, it is not visible any more after
>>> clicking on it.
>>
>> GNOME doesn't have applets anymore, so complaining that your applet
>> doesn't work great in GNOME is missing the point.
>>
> So what would your solution then be for such a workflow today when 
> applets aren't supported anymore? And of course one that would work for 
> other desktops, as maintaining N versions for N different desktops 
> doesn't scale.
> 
>> I don't think we want a 'firewall' UI anyway; the firewall is not
>> something most users can or should understand and make decisions of.
>>
>> What I envision is that we will notify the user when we connect to a new
>> network, with a message along the lines of:
>>
> This has been planned before but has been refused. Coming up with this 
> again is funny also.
> 
>> You have connected to an new network. If this is a public network, you
>> may want to stop sharing your Music and disable Remote Logins.
>> [Turn off sharing] [Continue sharing] [Sharing Preferences...]
>>
>> And we will remember this for when you later reconnect to the same
>> network.
>>
> This is exactly what zones are for, but you do not have to alter 
> applications or logins.
> 
>> When we have this infrastructure, we can use this information to also
>> set the network zone to Home/Public - I don't think the long list of
>> zones I showed above makes any sense. Either you are at home and
>> comfortable sharing the network, or not.
>>
> If you're still interested to make this work I'm still willing to work 
> on this together with you and the gnome team to make sure everyone will 
> have the benefit of an out-of-box secure Fedora with an easy to use 
> firewall with a proper UI.
> 
>> I've filed a bug for this:
>> https://bugzilla.gnome.org/show_bug.cgi?id=727580
>>
>>
>> Matthias
>>
> 
> Thomas - firewalld maintainer
> 

Thanks for the revelation, Thomas!
Josh, I hope you read this.

Is this really how we want to promote Fedora!?


poma

More information about the devel mailing list