F21 System Wide Change: Workstation: Disable firewall

Thu Apr 17 08:30:39 UTC 2014

On 04/16/2014 01:11 AM, William Brown wrote:
> On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote:
>> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote:
>>
>>>>
>>>> What you need is clearly different "zones" that the user can configure
>>>> and associate to networks, with the default being that you trust nothing
>>>> and everything is firewalled when you roam a new network.
>>>>
>>> We have that already with zones in firewalld.
>>
>> Kindof. If I open the network panel and find the 'Firewall zone' combo,
>> I am presented with a choice of:
>> Default
>> block
>> dmz
>> drop
>> external
>> home
>> internal
>> public
>> trusted
>> work
>>
>> This list is far too long, and none of it is translated or even properly
>> capitalized. And there is no indication at all why one would choose any
>> zone over any other, and what consequences it has.
>
> Agreed
>
> Perhaps shorten to:
>
> block
> public
> work
> home

Oh yes. And when accompanied by a short explanation of what happens (how 
much is shared/blocked, what you may need to do manually to override the 
settings if setting up a service etc.), I think the user experience 
leaves little to be desired.

> The other network zone names really seem targeted at servers. Maybe each
> zone needs an attr that states if it's a workstation zone or not to
> determine if it joins this list?
>
>>
>> So, what you have currently is a raw bit of infrastructure that is
>> directly exposed to the end user, without any design or integration.
>>
>
>
>
> Additionally, the command line syntax to manage firewalld is obscene.
> (maybe slightly off topic ...)
>
> firewall-cmd --zone=foo --add-port=12345/tcp --permanent
>
> It doesn't autocomplete in bash either (zsh at least prefills the -- and
> gives you some options, but it's not great)
>
> At least for the "power" user on a workstation, fixing this syntax to at
> the minimum remove all the -- would be great. Follow that by nm-cli
> style short hand, and I would be a happy person. You could do:
>
> firewalld-cmd z=foo a-p=12345/tcp perm
>
>
>
> Because this syntax is "hard" I think that it even excludes power users
> from wanting to make their firewall work on their system.
>
>>
>>
>> I don't think we want a 'firewall' UI anyway; the firewall is not
>> something most users can or should understand and make decisions of.
>
> Never take decisions away from users.
>
> The OSX style firewall works well when enabled. It blocks all by
> default, then when an application wants a listening port, the user is
> prompted to allow or deny it. I think this is a good model.
>
>>
>> What I envision is that we will notify the user when we connect to a new
>> network, with a message along the lines of:
>>
>> You have connected to an new network. If this is a public network, you
>> may want to stop sharing your Music and disable Remote Logins.
>> [Turn off sharing] [Continue sharing] [Sharing Preferences...]
>>
>> And we will remember this for when you later reconnect to the same
>> network.
>
> Why not set the firewall zone when you join the network? And the above
> prompts alter that currently active zone?
>
>
>> I've filed a bug for this:
>> https://bugzilla.gnome.org/show_bug.cgi?id=727580
>>
>>
>> Matthias
>>
>
>
>