F21 System Wide Change: Workstation: Disable firewall

Simo Sorce simo at redhat.com
Wed Apr 16 16:39:14 UTC 2014 

On Wed, 2014-04-16 at 08:28 -0400, Josh Boyer wrote:
> On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone <ibmalone at gmail.com> wrote:
> > On 16 April 2014 00:11, William Brown <william at firstyear.id.au> wrote:
> >> On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote:
> >
> >>> I don't think we want a 'firewall' UI anyway; the firewall is not
> >>> something most users can or should understand and make decisions of.
> >>
> >> Never take decisions away from users.
> >>
> >> The OSX style firewall works well when enabled. It blocks all by
> >> default, then when an application wants a listening port, the user is
> >> prompted to allow or deny it. I think this is a good model.
> >>
> >
> > "Users can't understand a firewall, let's just turn it off" (I realise
> > that's not your position, it's the one that seems to be coming up in
> > this thread.)
> > Anyone else astounded this discussion is actually taking place?
> 
> I'm astounded that everyone on all sides is showing a complete
> inability to think outside their own box in this thread.  Beyond that,
> nothing else surprises me.
> 
> For a quick summary:
> 
> 1) With a firewall enabled, network services don't work without manual
> intervention.
> 
> 2) With firewalld active, any privileged application can open a port
> in the firewall (and most will be privileged because they will be
> packaged that way.)
> 
> 3) With no firewall enabled and no network services started, there is
> no security issue because there are no open ports.
> 
> 4) With no firewall but active network services, you have open ports
> just as you would in the firewalld or manual intervention firewall
> case
> 
> 5) Which ports can safely be opened is completely irrelevant to the
> presence of a firewall or not.  It is entirely dependent upon the
> trust of the network the machine is connected to.  On unsafe networks,
> you have one of two options: a) turn off those network services, b)
> use a firewall to block the ports those network services need (which
> is a strange form of a).

Sorry, but here you are misunderstanding the nuances of a trusted
network. When I say trusted network I mean *local network* and local
means the firewall uses the subnet mask (as a gross approximation) to
limit who can connect.

also if you have a VPN or virtual machines running on your laptop those
may count as trusted networks, but they coexist with untrusted ones (the
open wifi you are connected to).

So, no b) is absolutely not a strange form of a), because turning off
services is an all or nothing thing, and some users may be fine with
that, but most want the service to be available locally (DLNA) or to his
own Virtual Machines (SMB/NFS shares) but not broadly, so an on/off
switch is simply insufficient.

> If those facts hold true, and I think they do, then I am not surprised
> at all that there's no consensus here.  It isn't as clear cut as
> everyone seems to want it to be.

I think they don't sorry, the discussion is more nuanced, which is why
people is appalled by the proposal.

> The zones approach seems fairly reasonable to me.  That in and of
> itself doesn't require a firewall though.

It absolutely does, see above. the definition of zone often includes the
concept of "local network".

>   "Zones" could be
> implemented by simply turning off the network services completely,
> which would then close the open ports.  However, using a firewall to
> implement zones does allow for protection against unknown/unwanted
> network services running.

It also allows to partition who can see what, we are constantly
connected to multiple networks nowadays (think developers and virtual
machines).

> A reduced set of zones firewall rules and proper integration in
> whatever implementation is chosen would seem to be the middle ground
> here.  I like the middle ground.  Maybe we could shoot for that?

I certainly hope we can shoot for a simplified middle ground to start
with.

> Otherwise, I won't be astounded at all when FESCo rejects the current
> Change and some users still turn off the firewall as one of the first
> things they do because things don't work.

Right, if nothing is done the only sensible solution is for FESCo to
refuse the change, and then the only recourse a lot of user will have is
to turn it off first thing :-(

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the devel mailing list