"Workstation" Product defaults to wide-open firewall

Tue Dec 9 15:11:51 UTC 2014

----- Original Message -----
> On 12/09/2014 08:50 AM, Richard Hughes wrote:
> 
> 
> 
> On 9 December 2014 at 13:39, Michael Catanzaro <mcatanzaro at gnome.org> wrote:
> 
> 
> 
> So your challenge is to find an alternative default that
> supports it.
> I'd go even further. I don't think the people writing the vast number
> of lengthy posts on this thread actually want to *use* workstation,
> with the possible exception of Bastien who's having to defend
> something he shouldn't have to. Reindl probably should just use the
> server spin, or be prepared to actually configure his box to do what
> he wants to be 100% paranoid and unusable for anything less than a
> technical user. If you don't like what workstation has decided to do,
> use another target, or a different distro entirely (like CentOS). If
> you want to change how workstation is designed, join the working group
> and please actually talk to people there. I think it's misguided to
> think that hurling insults here is going to achieve change.
> 
> I think a lot of people also need to remember that workstation isn't
> built for them, and that's okay. If you know how to configure iptables
> then that's fine, but I'm happy to admit I don't, and normally just
> switch off the firewall entirely so I can get stuff done. F21 will be
> more secure for me, not less.
> 
> Ok, so what product/spin am I supposed to use? I'm a RHEL sysadmin but I use
> Fedora on my desktop & laptop. I expect the firewall to be on so when I
> evaluate a new piece of software or do a bit of network development I don't
> inadvertently increase my exposure. I also expect things to work with the
> minimum amount of fuss.
> 
> So it looks like my choices boil down to:
> * Use the workstation project and spend a bunch of time locking it down to
> what would be reasonable default for the networks I use -- and hope I don't
> miss anything.

The defaults for the various products are "packaged" by zones. You just need
to change the firewalld zone to get whatever is the default on the server side.

Or better, use VMs to deploy test instances which would have the same set of packages
and configuration as a Fedora Server version.

> * Use the server product and manually configure all of the workstation stuff
> so I get a usable system
> 
> Neither of those choices seem reasonable to me, especially compared to the
> status quo: a fully configured workstation where I open new ports as I
> increase functionality.

Using a VM is probably a better idea than deploying test servers on a desktop machine.