"Workstation" Product defaults to wide-open firewall

Gerd Hoffmann kraxel at redhat.com
Tue Dec 9 11:54:59 UTC 2014


  Hi,

> > I also thought that the whole points of having Zones etc, was so that
> > we could pick a different zone per network connection,

/me too.

> > so if I'm in the office or at home I can say use this zone, if I'm
> > at a coffee shop I can pick a different one etc.
> > 
> > Or was this consider too much UI for the normal user? Surely
> > OSX has something to copy from, since they seem to define what
> > a normal user expects.
> 
> OSX has a firewall integration that I would rank as "awful". It's not
> any better than what we had in Fedora 20 (blocking firewall and a tool
> to open up ports).

Have a look at Windows then.  Each time you hook a windows machine to a
new network it asks what network this is.  Used to be "public", "home",
"work".  Recently they simplified that and kicked the "home" / "work"
separation, so it's only public / non-public now.  With some explanation
along the lines of "use public for hotspots, use home for your private
network where you want share stuff".

Why we can't have something like this?  And if you don't want a popup
asking, have something in the NetworkManager applet menu, where people
can easily find the switch without having to search for it?  A "[x]
allow sharing" checkbox?  A firewall zone selector?

Side Note: For the latter we need to cleanup the zones though.  There
           are *way* to many to choose from, and the names suck big
           time.  WTF is a "Fedora$product" zone?  And wasn't that
           discussed before on this list?  Why do we *still* have this
           mess?

IMO there is simply no way around asking the user.  Make sharing stuff
easy (so you can watch your dnla-exported photo/video collection at your
smart tv) is a reasonable request.  But enabling that by allowing
everybody fetch your private photo collection via dnla while you are
surfing @ starbucks is a non-starter.

cheers,
  Gerd

PS: Seems windows can even identify different wired networks.  I've
    switched my router recently, and windows re-asked what network
    I'm on.  Probably they remember the mac address of the default
    gateway or something like that.




More information about the devel mailing list