"Workstation" Product defaults to wide-open firewall

Thomas Woerner twoerner at redhat.com
Tue Dec 9 15:08:50 UTC 2014 

On 12/09/2014 03:57 PM, Christian Schaller wrote:
>
>
>
>
> ----- Original Message -----
>> From: "Brian Wheeler" <bdwheele at indiana.edu>
>> To: devel at lists.fedoraproject.org
>> Sent: Tuesday, December 9, 2014 9:18:47 AM
>> Subject: Re: "Workstation" Product defaults to wide-open firewall
>>
>> On 12/09/2014 08:50 AM, Richard Hughes wrote:
>>
>>
>>
>> On 9 December 2014 at 13:39, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
>>
>>
>>
>> So your challenge is to find an alternative default that
>> supports it.
>> I'd go even further. I don't think the people writing the vast number
>> of lengthy posts on this thread actually want to *use* workstation,
>> with the possible exception of Bastien who's having to defend
>> something he shouldn't have to. Reindl probably should just use the
>> server spin, or be prepared to actually configure his box to do what
>> he wants to be 100% paranoid and unusable for anything less than a
>> technical user. If you don't like what workstation has decided to do,
>> use another target, or a different distro entirely (like CentOS). If
>> you want to change how workstation is designed, join the working group
>> and please actually talk to people there. I think it's misguided to
>> think that hurling insults here is going to achieve change.
>>
>> I think a lot of people also need to remember that workstation isn't
>> built for them, and that's okay. If you know how to configure iptables
>> then that's fine, but I'm happy to admit I don't, and normally just
>> switch off the firewall entirely so I can get stuff done. F21 will be
>> more secure for me, not less.
>>
>> Ok, so what product/spin am I supposed to use? I'm a RHEL sysadmin but I use
>> Fedora on my desktop & laptop. I expect the firewall to be on so when I
>> evaluate a new piece of software or do a bit of network development I don't
>> inadvertently increase my exposure. I also expect things to work with the
>> minimum amount of fuss.
>>
>> So it looks like my choices boil down to:
>> * Use the workstation project and spend a bunch of time locking it down to
>> what would be reasonable default for the networks I use -- and hope I don't
>> miss anything.
>
> Well I think it is hard for anyone to guess what would be reasonable defaults for
> you specifically, any default is by its nature just targeting an generic
> person, which might or might not be a lot like you.
>
> But if you are aware and understand the finer details here then it isn't that
> big a job to change it, you should be able to go into the network manager, choose your
> connection, choose 'identity' (should probably be moved to be under security?) and change
> the zone for your network to whatever suits you better.
>

Please change the default zone, otherwise any new connection will get 
assigned to the weak zone again in the first place.

firewall-cmd --set-default-zone=public

This will change the default to public. All connections that are not 
explicitly bound to another zone will be automatically assigned to the 
default zone.

Thomas

> Christian
>
>> * Use the server product and manually configure all of the workstation stuff
>> so I get a usable system
>>
>> Neither of those choices seem reasonable to me, especially compared to the
>> status quo: a fully configured workstation where I open new ports as I
>> increase functionality.
>>
>>
>>
>> --
>> devel mailing list
>> devel at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list