"Workstation" Product defaults to wide-open firewall

Thomas Woerner twoerner at redhat.com
Tue Dec 9 15:08:50 UTC 2014

On 12/09/2014 03:57 PM, Christian Schaller wrote:
> ----- Original Message -----
>> From: "Brian Wheeler" <bdwheele at indiana.edu>
>> To: devel at lists.fedoraproject.org
>> Sent: Tuesday, December 9, 2014 9:18:47 AM
>> Subject: Re: "Workstation" Product defaults to wide-open firewall
>> On 12/09/2014 08:50 AM, Richard Hughes wrote:
>> On 9 December 2014 at 13:39, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
>> So your challenge is to find an alternative default that
>> supports it.
>> I'd go even further. I don't think the people writing the vast number
>> of lengthy posts on this thread actually want to *use* workstation,
>> with the possible exception of Bastien who's having to defend
>> something he shouldn't have to. Reindl probably should just use the
>> server spin, or be prepared to actually configure his box to do what
>> he wants to be 100% paranoid and unusable for anything less than a
>> technical user. If you don't like what workstation has decided to do,
>> use another target, or a different distro entirely (like CentOS). If
>> you want to change how workstation is designed, join the working group
>> and please actually talk to people there. I think it's misguided to
>> think that hurling insults here is going to achieve change.
>> I think a lot of people also need to remember that workstation isn't
>> built for them, and that's okay. If you know how to configure iptables
>> then that's fine, but I'm happy to admit I don't, and normally just
>> switch off the firewall entirely so I can get stuff done. F21 will be
>> more secure for me, not less.
>> Ok, so what product/spin am I supposed to use? I'm a RHEL sysadmin but I use
>> Fedora on my desktop & laptop. I expect the firewall to be on so when I
>> evaluate a new piece of software or do a bit of network development I don't
>> inadvertently increase my exposure. I also expect things to work with the
>> minimum amount of fuss.
>> So it looks like my choices boil down to:
>> * Use the workstation project and spend a bunch of time locking it down to
>> what would be reasonable default for the networks I use -- and hope I don't
>> miss anything.
> Well I think it is hard for anyone to guess what would be reasonable defaults for
> you specifically, any default is by its nature just targeting an generic
> person, which might or might not be a lot like you.
> But if you are aware and understand the finer details here then it isn't that
> big a job to change it, you should be able to go into the network manager, choose your
> connection, choose 'identity' (should probably be moved to be under security?) and change
> the zone for your network to whatever suits you better.

Please change the default zone, otherwise any new connection will get 
assigned to the weak zone again in the first place.

firewall-cmd --set-default-zone=public

This will change the default to public. All connections that are not 
explicitly bound to another zone will be automatically assigned to the 
default zone.


> Christian
>> * Use the server product and manually configure all of the workstation stuff
>> so I get a usable system
>> Neither of those choices seem reasonable to me, especially compared to the
>> status quo: a fully configured workstation where I open new ports as I
>> increase functionality.
>> --
>> devel mailing list
>> devel at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/devel
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

More information about the devel mailing list