F21 System Wide Change: Workstation: Disable firewall

Thomas Woerner twoerner at redhat.com
Wed Apr 16 16:56:21 UTC 2014 

On 04/16/2014 06:43 PM, Tomasz Torcz wrote:
> On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote:
>>>> I think what you are describing could be probably realized with SELinux
>>>> today, just with a special setroubleshoot frontend that catches the AVC
>>>> when the service tries to listen and ask the user if he wants to allow
>>>> it.
>>>>
>>>> However this would still not be completely sufficient as you completely
>>>> lack any context about what network you are operating on.
>>>>
>>>> The firewall's purpose is to block access to local services on bad
>>>> networks too, it is not a binary open/close equation when you have
>>>> machines (laptops) that roam across a variety of networks.
>>>>
>>>> Simo.
>>>>
>>> Nothing worse then asking Users Security related questions about opening
>>> firewall ports.
>>> Users will just answer yes, whether or not they are being hacked.
>>>
>>> firefox wants to listen on port 9900 in order to see this page, OK?
>>
>>
>> Which is not what I proposed Dan.
>>
>> I in fact said we should *NOT* ask per application.
>>
>> What we should ask is one single question, upon connecting to an unknown
>> network: "Is this network trusted ?"
>>
>> If yes you open up to the local network. If no you keep ports not
>> accessible on that network.
>
>    But firewalld currently lacks flexibility to express this fully.
> Firewalld only classifies ”whole” interfaces, which breaks badly in
> many situations.  Consider following scenario:  VM with single
> network interface.  This single interface has RFC1918 IPv4 address AND
> globally accesible IPv6 address.  How it should be described
> in firewalld?
>
firewalld supports to have rules for IPv4 and/or IPv6.

>    – for any IPv4 incoming connection, this interface is in ”trusted” (”home”?
>      I never know what home/work/dmz/etc really mean)
You can full customize all zones. This is the reason there is no simple 
description for each zone.

>    – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone
>      is still ”trusted”
>    – for any other incoming connection the zone is ”public” (I hope this
>      means ”general Internet”).
>
>    Above is trivial in iptables, but impossible with firewalld's zones.
>
firewalld also has the ability to bind zones to source addresses and 
address ranges. This might help here.

>
>

Thomas

More information about the devel mailing list