"Workstation" Product defaults to wide-open firewall

Bastien Nocera bnocera at redhat.com
Tue Dec 9 13:12:11 UTC 2014

----- Original Message -----
> On 9 December 2014 at 11:35, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
> > On Mon, 2014-12-08 at 10:49 -0500, Bastien Nocera wrote:
> >> If Reindl, Kevin or Tomas want to disagree with that, I'll give you a
> >> little
> >> exercise:
> >> Having just installed and updated my Fedora 20, I want to share a
> >> video in my
> >> home directory using UPnP/DLNA to my TV, using rygel for example.
> >> Document the
> >> steps necessary to achieve that.
> >
> > So unless anyone opposed to the firewall configuration change actually
> > attempts this exercise, and comes up with a working alternative solution
> > to the problem, I'm not sure there's much point in continuing the
> > discussion.
> >
> Well, without access to Bastien's TV, home directory and router it's a
> bit difficult. Or is that the point?

Another laptop with Fedora running on it would just increase the difficulty, but
you can use that, or a set-top box with DLNA support. The router can be any stock
router, and again, it doesn't have any impact on the difficulty of putting the
above in place, as the problem is solely on the sharing service's side.

> I haven't used rygel, is there any reason to believe difficulty doing
> this is not a problem with rygel in F20?

It isn't a problem of rygel, it's a problem of a static firewall with dynamic
services. It impacts all services/applications that use dynamic ports.

> > We are concerned with practical security -- keeping the user safe by
> > anticipating the user's typical response to situations. But if you think
> > the firewall configuration GUI in F20 existed for any purpose other than
> > to completely disable the firewall, please take a reality check.
> "This isn't quite as bad as that other thing." Isn't the most
> persuasive argument, and in some cases it is worse (at least a user
> who's disabled the firewall knows they've done so).

And then we can blame the user for not knowing what they just did. If they
managed to get to that point...

Absent from this thread are also all the people that thanked me personally, or
through colleagues, about the new defaults that were finally usable, yet avoided
the problems of over-sharing when not at home, or in insecure Wi-Fi networks.

More information about the devel mailing list