F21 System Wide Change: Workstation: Disable firewall

[Simo Sorce]

On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote:
> On 04/15/2014 09:31 AM, Simo Sorce wrote:
> > On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote:
> >> I keep thinking that, if I had unlimited time, I'd write a totally
> >> different kind of firewall.  It would allow some policy (userspace
> >> daemon or rules loaded into the kernel) to determine when programs can
> >> listen on what sockets and when connections can be accepted on those
> >> sockets.  This avoids the attack surface of iptables, it will be
> >> faster, it can cause programs to actually report errors if you want
> >> them to, and it could be a lot easier to configure.
> >>
> >> Wouldn't it be great if, when you start some program that wants to
> >> listen globally, your system could prompt you and ask whether it was
> >> okay, even if that program didn't know about firewalld?
> >>
> > I think what you are describing could be probably realized with SELinux
> > today, just with a special setroubleshoot frontend that catches the AVC
> > when the service tries to listen and ask the user if he wants to allow
> > it.
> >
> > However this would still not be completely sufficient as you completely
> > lack any context about what network you are operating on.
> >
> > The firewall's purpose is to block access to local services on bad
> > networks too, it is not a binary open/close equation when you have
> > machines (laptops) that roam across a variety of networks.
> >
> > Simo.
> >
> Nothing worse then asking Users Security related questions about opening
> firewall ports.
> Users will just answer yes, whether or not they are being hacked.
> 
> firefox wants to listen on port 9900 in order to see this page, OK?


Which is not what I proposed Dan.

I in fact said we should *NOT* ask per application.

What we should ask is one single question, upon connecting to an unknown
network: "Is this network trusted ?"

If yes you open up to the local network. If no you keep ports not
accessible on that network.

We can hint that a cafe wifi is usually not trusted and users should say
no, or perhaps we do not even ask and default to untrusted on open wifi
networks, and only ask on secured networks (this would be my
preference).

> %99.999 will answer yes, and be aggravated.
> 
> Setting up a rule that says app XYZ is allowed to open certain ports
> would be a great step forward.  But there would need to be a provable
> way to guarantee that only the XYZ application is able to open those
> ports.  You could do this with SELinux, but we would need to transition
> user apps to certain domains, but we would need to run users with a
> confined domain, and stop disabling SELinux...

I think we can do this in steps, I certainly agree with the long term
goal.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York