F21 System Wide Change: Workstation: Disable firewall

Thomas Woerner twoerner at redhat.com
Wed Apr 23 09:37:29 UTC 2014


On 04/22/2014 09:17 PM, Russell Doty wrote:
> On Tue, 2014-04-22 at 15:04 -0400, Simo Sorce wrote:
>> On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote:
>>> On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote:
>>>> On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote:
>>>>> On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trma─Ź wrote:
>>>>>> 2014-04-22 13:40 GMT+02:00 Stephen Gallagher <sgallagh at redhat.com>:
>>>>>>          3) Recovery and auditing are more important than prevention.
>>>>>>
>>>>>> This is only true for large managed enterprises, where recovery is
>>>>>> possible in the first place (how many people don't have good
>>>>>> backups?), and prevention is bordering on impossible (with the high
>>>>>> number of systems and administrators).  For individual users auditing
>>>>>> is completely pointless, recovery is either impossible or a huge
>>>>>> hassle, and prevention the only option.
>>>>> Well, the presentation was focused on enterprise systems...
>>>>>
>>>>> But there were some underlying themes:
>>>>>
>>>>> * Users will work around anything, including security features, that
>>>>> interfere with them doing their job.
>>>>>
>>>>> * It is impossible to completely secure a system. A prevention only
>>>>> approach doesn't work well.
>>>>>
>>>>> * An effective security model is built around Deter, Detect, Delay,
>>>>> Respond, Remediate.
>>>>>
>>>>> * Security is one of multiple threats to system integrity.
>>>>
>>>> All very true, but you do not remove the Deterrent, just because you
>>>> have the other 4 layers (which we do *not* have very much in Fedora when
>>>> it is used as a simple workstation).
>>> Absolutely true - the foundation of the stack is Deter. The point is
>>> that we can't harden a system enough for Deter alone to be fully
>>> effective, so we need to have the complete security model.
>>>
>>> And you are right. We have a real opportunity to look at an overall
>>> "people centric" approach to security in Fedora. Look at the traditional
>>> threat models, look at the people issues, and look at an overall
>>> approach to maintaining system integrity.
>>>
>>> I'd like to see us exploring system integrity in greater depth.
>>>>
>>>> This is why people say we need to improve the Firewall experience not
>>>> raise white flag and disable it.
>>> Agree. Unfortunately, the easy way out is to punch so many holes in the
>>> default firewall that it doesn't offer much protection...
>>
>> not really true, having the default one allow access only from the local
>> lan at most is a huge improvement rather than no firewall.
>>
>> All you need is a button that lets you select between 3 zones when you
>> join a new network and you have a much better system already, nothing
>> fancy, and the 3 zones correspond to the concepts of:
>> open to everyone (effectively disables any protection)
>> open to the local lan only (what you would select at home/work/trusted
>> network)
>> closed (what you would select in a public place on an untrusted network)
> This sounds a lot like the Network Manager model.
>
> Could this basic firewall configuration be integrated with the Network
> Manager interface? So that a user sets their "security profile" one
> place, and all related system settings and configurations are updated?
Please have a look at "edit connection" in the NetworkManager applet.

There have been plans to query for the zone that should be used for a 
connection before activating this connection for the first time. There 
are even sketches for this. But as I said before, this has been rejected 
by the desktop team.

Because of this I created firewall-applet, which provides a simple UI to 
switch zones for connections with NetworkManager and for interface and 
source bindings.

>>
>> It is quite simple to describe even to a non expert user what these
>> means in general terms.
>>
>> Of course it won't be perfect, but much better than nothing, and much,
>> much friendlier than what we have now.
> A combination of this and having all commonly used applications
> configure the firewall when installed/uninstalled looks like a good
> start, especially from a usability perspective.
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>
>
Thomas


More information about the devel mailing list