F21 System Wide Change: Workstation: Disable firewall

Tomasz Torcz tomek at pipebreaker.pl
Wed Apr 16 16:43:05 UTC 2014

On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote:
> > > I think what you are describing could be probably realized with SELinux
> > > today, just with a special setroubleshoot frontend that catches the AVC
> > > when the service tries to listen and ask the user if he wants to allow
> > > it.
> > >
> > > However this would still not be completely sufficient as you completely
> > > lack any context about what network you are operating on.
> > >
> > > The firewall's purpose is to block access to local services on bad
> > > networks too, it is not a binary open/close equation when you have
> > > machines (laptops) that roam across a variety of networks.
> > >
> > > Simo.
> > >
> > Nothing worse then asking Users Security related questions about opening
> > firewall ports.
> > Users will just answer yes, whether or not they are being hacked.
> > 
> > firefox wants to listen on port 9900 in order to see this page, OK?
> Which is not what I proposed Dan.
> I in fact said we should *NOT* ask per application.
> What we should ask is one single question, upon connecting to an unknown
> network: "Is this network trusted ?"
> If yes you open up to the local network. If no you keep ports not
> accessible on that network.

  But firewalld currently lacks flexibility to express this fully.
Firewalld only classifies ”whole” interfaces, which breaks badly in
many situations.  Consider following scenario:  VM with single 
network interface.  This single interface has RFC1918 IPv4 address AND
globally accesible IPv6 address.  How it should be described
in firewalld?

  – for any IPv4 incoming connection, this interface is in ”trusted” (”home”?
    I never know what home/work/dmz/etc really mean)
  – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone
    is still ”trusted”
  – for any other incoming connection the zone is ”public” (I hope this
    means ”general Internet”).

  Above is trivial in iptables, but impossible with firewalld's zones.

Tomasz Torcz                 Morality must always be based on practicality.
xmpp: zdzichubg at chrome.pl                -- Baron Vladimir Harkonnen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140416/c1307345/attachment.sig>

More information about the devel mailing list