"Workstation" Product defaults to wide-open firewall

Stephen Gallagher sgallagh at redhat.com
Tue Dec 9 13:10:15 UTC 2014 



On Tue, 2014-12-09 at 07:27 +0100, Kevin Kofler wrote:
> Stephen Gallagher wrote:
> > Also, while I think it's been unclear in this thread, the main reason
> > that the firewall GUI was taken out was because the Workstation guys
> > want to design a more user-understandable one and include that directly
> > (if I am remembering that conversation correctly). The current one is
> > not terribly easy to understand (though it's certainly an improvement
> > over s-c-firewall).
> 
> Huh? Especially the last part really makes me go "huh?". System-config-
> firewall is dead simple to use: I want service S to work, I check the box 
> for service S if it's one of the common ones, or pick service S from the 
> full /etc/services list if it's an uncommon one, or enter its port manually 
> if it's some nonstandard service listening on an arbitrary port. I don't see 
> how the UI can be any simpler.
> 
> firewall-config is only complicated because firewalld is overly complex.



I'm a little puzzled that you decided to nitpick this one statement
which was poorly phrased and ignore the rest of my email, but okay I'll
bite. I meant to say that firewall-config is in general much improved
over s-c-firewall, not that it was easy to understand.

s-c-firewall only allowed *exactly* what you described above and left
you to manually configure the firewall with the CLI if you needed
anything more complicated than "open this port on all interfaces". With
firewall-config, it's possible to set up fairly common firewall
configurations like:

* Port forward between two interfaces, which is really useful with
virtualizationFedoraWorkstation (default, active)
  interfaces: em1 virbr0 virbr0-nic wlp4s0
  sources: 
  services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client
ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

* Open this SMB port on these two multipath interfaces but not on this
public interface or the management plane.

And so on. And is firewalld overly complex? Sure. Firewalls *are*
complex. Having used both firewall-cmd and iptables extensively over the
years, I'd pick firewall-cmd any day. It's far easier to remember 

firewall-cmd --add-port=80/tcp

than it is to remember

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

(which I just had to Google to make sure I got it right, which I
hadn't...). So for the really simple cases that s-c-firewall used to
handle, it's still pretty darn easy. Moreover, it's *significantly*
easier to see (and understand) the current firewall state on your
system:

firewall-cmd --list-all[-zones]

On my system, this results in:

FedoraWorkstation (default, active)
  interfaces: em1 virbr0 virbr0-nic wlp4s0
  sources: 
  services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client
ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

(and yes, you may notice that I've elected to close the ports >1024 that
are open by default in the Fedora Workstation zone, because I'm
overly-paranoid and because I occasionally use non-Fedora software that
I cannot fully trust not to open ports without me checking on it)


Anyway, this post has admittedly gotten a bit rambling and off-topic, so
I'll end it here.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/fc1b7184/attachment.sig>

More information about the devel mailing list