"Workstation" Product defaults to wide-open firewall

Bastien Nocera bnocera at redhat.com
Tue Dec 9 15:19:51 UTC 2014 


----- Original Message -----
> Hi,
> 
> > > I also thought that the whole points of having Zones etc, was so that
> > > we could pick a different zone per network connection,
> 
> /me too.
> 
> > > so if I'm in the office or at home I can say use this zone, if I'm
> > > at a coffee shop I can pick a different one etc.
> > > 
> > > Or was this consider too much UI for the normal user? Surely
> > > OSX has something to copy from, since they seem to define what
> > > a normal user expects.
> > 
> > OSX has a firewall integration that I would rank as "awful". It's not
> > any better than what we had in Fedora 20 (blocking firewall and a tool
> > to open up ports).
> 
> Have a look at Windows then.  Each time you hook a windows machine to a
> new network it asks what network this is.  Used to be "public", "home",
> "work".  Recently they simplified that and kicked the "home" / "work"
> separation, so it's only public / non-public now.  With some explanation
> along the lines of "use public for hotspots, use home for your private
> network where you want share stuff".
> 
> Why we can't have something like this?  And if you don't want a popup
> asking, have something in the NetworkManager applet menu, where people
> can easily find the switch without having to search for it?  A "[x]
> allow sharing" checkbox?  A firewall zone selector?
> 
> Side Note: For the latter we need to cleanup the zones though.  There
>            are *way* to many to choose from, and the names suck big
>            time.  WTF is a "Fedora$product" zone?  And wasn't that
>            discussed before on this list?  Why do we *still* have this
>            mess?

This isn't a side note, IMO. It was one of the major reasons why we chose
not to expose users to the concept of zones. In addition to the names being
obscure in firewalld (there's a bug filed about that), they also are obscure
in Windows.

What configuration difference is there between home and work, and how do you
explain them without going deeper into technical details? Are there cases
where I want to share things in a work environment and not a home environment?

> IMO there is simply no way around asking the user.

Instead of asking the user, we're getting the user to tell us they want to share
things. This avoids unnecessary nagging.

>  Make sharing stuff
> easy (so you can watch your dnla-exported photo/video collection at your
> smart tv) is a reasonable request.  But enabling that by allowing
> everybody fetch your private photo collection via dnla while you are
> surfing @ starbucks is a non-starter.

This isn't what was implemented. DLNA share will be turned off by default on
new networks. In fact, we won't allow any unencrypted services to run when
on unencrypted Wi-Fi.

> cheers,
>   Gerd
> 
> PS: Seems windows can even identify different wired networks.  I've
>     switched my router recently, and windows re-asked what network
>     I'm on.  Probably they remember the mac address of the default
>     gateway or something like that.

This will be implemented as soon as NetworkManager makes it easier for us
to detect different wired connections. For now, all wired connections are considered
to be the same one, which could be a problem.

More information about the devel mailing list