"Workstation" Product defaults to wide-open firewall

Tue Dec 9 18:07:46 UTC 2014

On Tue, 2014-12-09 at 10:19 -0500, Bastien Nocera wrote:
> 
> ----- Original Message -----
> > Hi,
> > 
> > > > I also thought that the whole points of having Zones etc, was so that
> > > > we could pick a different zone per network connection,
> > 
> > /me too.
> > 
> > > > so if I'm in the office or at home I can say use this zone, if I'm
> > > > at a coffee shop I can pick a different one etc.
> > > > 
> > > > Or was this consider too much UI for the normal user? Surely
> > > > OSX has something to copy from, since they seem to define what
> > > > a normal user expects.
> > > 
> > > OSX has a firewall integration that I would rank as "awful". It's not
> > > any better than what we had in Fedora 20 (blocking firewall and a tool
> > > to open up ports).
> > 
> > Have a look at Windows then.  Each time you hook a windows machine to a
> > new network it asks what network this is.  Used to be "public", "home",
> > "work".  Recently they simplified that and kicked the "home" / "work"
> > separation, so it's only public / non-public now.  With some explanation
> > along the lines of "use public for hotspots, use home for your private
> > network where you want share stuff".
> > 
> > Why we can't have something like this?  And if you don't want a popup
> > asking, have something in the NetworkManager applet menu, where people
> > can easily find the switch without having to search for it?  A "[x]
> > allow sharing" checkbox?  A firewall zone selector?
> > 
> > Side Note: For the latter we need to cleanup the zones though.  There
> >            are *way* to many to choose from, and the names suck big
> >            time.  WTF is a "Fedora$product" zone?  And wasn't that
> >            discussed before on this list?  Why do we *still* have this
> >            mess?
> 
> This isn't a side note, IMO. It was one of the major reasons why we chose
> not to expose users to the concept of zones. In addition to the names being
> obscure in firewalld (there's a bug filed about that), they also are obscure
> in Windows.
> 
> What configuration difference is there between home and work, and how do you
> explain them without going deeper into technical details? Are there cases
> where I want to share things in a work environment and not a home environment?
> 
> > IMO there is simply no way around asking the user.
> 
> Instead of asking the user, we're getting the user to tell us they want to share
> things. This avoids unnecessary nagging.
> 
> >  Make sharing stuff
> > easy (so you can watch your dnla-exported photo/video collection at your
> > smart tv) is a reasonable request.  But enabling that by allowing
> > everybody fetch your private photo collection via dnla while you are
> > surfing @ starbucks is a non-starter.
> 
> This isn't what was implemented. DLNA share will be turned off by default on
> new networks. In fact, we won't allow any unencrypted services to run when
> on unencrypted Wi-Fi.
> 
> > cheers,
> >   Gerd
> > 
> > PS: Seems windows can even identify different wired networks.  I've
> >     switched my router recently, and windows re-asked what network
> >     I'm on.  Probably they remember the mac address of the default
> >     gateway or something like that.
> 
> This will be implemented as soon as NetworkManager makes it easier for us
> to detect different wired connections. For now, all wired connections are considered
> to be the same one, which could be a problem.

Just a reminder that wired detection is always best-effort, unless the
switch is using 802.1x (which few do outside of highly secure
enterprises).  It's trivial for somebody to spoof any mechanism for
wired network detection.

Dan