"Workstation" Product defaults to wide-open firewall
Stephen Gallagher
sgallagh at redhat.com
Tue Dec 9 13:10:15 UTC 2014
On Tue, 2014-12-09 at 07:27 +0100, Kevin Kofler wrote:
> Stephen Gallagher wrote:
> > Also, while I think it's been unclear in this thread, the main reason
> > that the firewall GUI was taken out was because the Workstation guys
> > want to design a more user-understandable one and include that directly
> > (if I am remembering that conversation correctly). The current one is
> > not terribly easy to understand (though it's certainly an improvement
> > over s-c-firewall).
>
> Huh? Especially the last part really makes me go "huh?". System-config-
> firewall is dead simple to use: I want service S to work, I check the box
> for service S if it's one of the common ones, or pick service S from the
> full /etc/services list if it's an uncommon one, or enter its port manually
> if it's some nonstandard service listening on an arbitrary port. I don't see
> how the UI can be any simpler.
>
> firewall-config is only complicated because firewalld is overly complex.
I'm a little puzzled that you decided to nitpick this one statement
which was poorly phrased and ignore the rest of my email, but okay I'll
bite. I meant to say that firewall-config is in general much improved
over s-c-firewall, not that it was easy to understand.
s-c-firewall only allowed *exactly* what you described above and left
you to manually configure the firewall with the CLI if you needed
anything more complicated than "open this port on all interfaces". With
firewall-config, it's possible to set up fairly common firewall
configurations like:
* Port forward between two interfaces, which is really useful with
virtualizationFedoraWorkstation (default, active)
interfaces: em1 virbr0 virbr0-nic wlp4s0
sources:
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client
ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
* Open this SMB port on these two multipath interfaces but not on this
public interface or the management plane.
And so on. And is firewalld overly complex? Sure. Firewalls *are*
complex. Having used both firewall-cmd and iptables extensively over the
years, I'd pick firewall-cmd any day. It's far easier to remember
firewall-cmd --add-port=80/tcp
than it is to remember
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
(which I just had to Google to make sure I got it right, which I
hadn't...). So for the really simple cases that s-c-firewall used to
handle, it's still pretty darn easy. Moreover, it's *significantly*
easier to see (and understand) the current firewall state on your
system:
firewall-cmd --list-all[-zones]
On my system, this results in:
FedoraWorkstation (default, active)
interfaces: em1 virbr0 virbr0-nic wlp4s0
sources:
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client
ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
(and yes, you may notice that I've elected to close the ports >1024 that
are open by default in the Fedora Workstation zone, because I'm
overly-paranoid and because I occasionally use non-Fedora software that
I cannot fully trust not to open ports without me checking on it)
Anyway, this post has admittedly gotten a bit rambling and off-topic, so
I'll end it here.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/fc1b7184/attachment.sig>
More information about the devel
mailing list