"Workstation" Product defaults to wide-open firewall
Thomas Woerner
twoerner at redhat.com
Mon Dec 8 14:06:52 UTC 2014
On 12/08/2014 10:50 AM, Bastien Nocera wrote:
>
>
> ----- Original Message -----
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> We don't need open or preconfigured high ports.
>>
>> What we really need is a user notification with options to allow or
>> deny like we do with SELinux.
>>
>> That would be a appropriate solution for a workstation.
>
> No it wouldn't be, because users don't like being asked security questions,
> even less so when they don't have the skills to understand the consequences
> of their choices.
>
> The changes were vouched for by the Fedora and GNOME designers, as well as
> the firewalld maintainers.
>
This zone was not proposed by firewalld maintainers. We had to accept
this zone - it was the Workstation team decision.
Additionally there was a request to pin down the zone in Workstation
that the user would not be able to change zones. But we denied this
request, because it would have been a big code change in firewalld to
remove one of its key features.
Additionally firewall-applet and firewall-config are not installed by
default in Gnome. All this was the decision of the Workstation team. I
asked then to leave the firewall UI there, but ...
Thomas
More information about the devel
mailing list