"Workstation" Product defaults to wide-open firewall
dcbw at redhat.com
Tue Dec 9 18:07:46 UTC 2014
On Tue, 2014-12-09 at 10:19 -0500, Bastien Nocera wrote:
> ----- Original Message -----
> > Hi,
> > > > I also thought that the whole points of having Zones etc, was so that
> > > > we could pick a different zone per network connection,
> > /me too.
> > > > so if I'm in the office or at home I can say use this zone, if I'm
> > > > at a coffee shop I can pick a different one etc.
> > > >
> > > > Or was this consider too much UI for the normal user? Surely
> > > > OSX has something to copy from, since they seem to define what
> > > > a normal user expects.
> > >
> > > OSX has a firewall integration that I would rank as "awful". It's not
> > > any better than what we had in Fedora 20 (blocking firewall and a tool
> > > to open up ports).
> > Have a look at Windows then. Each time you hook a windows machine to a
> > new network it asks what network this is. Used to be "public", "home",
> > "work". Recently they simplified that and kicked the "home" / "work"
> > separation, so it's only public / non-public now. With some explanation
> > along the lines of "use public for hotspots, use home for your private
> > network where you want share stuff".
> > Why we can't have something like this? And if you don't want a popup
> > asking, have something in the NetworkManager applet menu, where people
> > can easily find the switch without having to search for it? A "[x]
> > allow sharing" checkbox? A firewall zone selector?
> > Side Note: For the latter we need to cleanup the zones though. There
> > are *way* to many to choose from, and the names suck big
> > time. WTF is a "Fedora$product" zone? And wasn't that
> > discussed before on this list? Why do we *still* have this
> > mess?
> This isn't a side note, IMO. It was one of the major reasons why we chose
> not to expose users to the concept of zones. In addition to the names being
> obscure in firewalld (there's a bug filed about that), they also are obscure
> in Windows.
> What configuration difference is there between home and work, and how do you
> explain them without going deeper into technical details? Are there cases
> where I want to share things in a work environment and not a home environment?
> > IMO there is simply no way around asking the user.
> Instead of asking the user, we're getting the user to tell us they want to share
> things. This avoids unnecessary nagging.
> > Make sharing stuff
> > easy (so you can watch your dnla-exported photo/video collection at your
> > smart tv) is a reasonable request. But enabling that by allowing
> > everybody fetch your private photo collection via dnla while you are
> > surfing @ starbucks is a non-starter.
> This isn't what was implemented. DLNA share will be turned off by default on
> new networks. In fact, we won't allow any unencrypted services to run when
> on unencrypted Wi-Fi.
> > cheers,
> > Gerd
> > PS: Seems windows can even identify different wired networks. I've
> > switched my router recently, and windows re-asked what network
> > I'm on. Probably they remember the mac address of the default
> > gateway or something like that.
> This will be implemented as soon as NetworkManager makes it easier for us
> to detect different wired connections. For now, all wired connections are considered
> to be the same one, which could be a problem.
Just a reminder that wired detection is always best-effort, unless the
switch is using 802.1x (which few do outside of highly secure
enterprises). It's trivial for somebody to spoof any mechanism for
wired network detection.
More information about the devel