5tFTW: Fedora 21, 22, and 19, firewall discussion, and holiday break

Thu Dec 18 10:07:10 UTC 2014

Hey Matt,

A few corrections for the portion about the workstation firewall.

----- Original Message -----
<snip>
> Fedora Workstation firewall discussion
> --------------------------------------
> 
> This week’s big devel-list thread concerned the default firewall
> settings in Fedora Workstation. The Fedora Workstation Working Group was
> not happy with the user experience offered by blocking incoming “high
> ports” by default. Out of the box, nothing is listening on these, but if
> one installs software that expects to,

"If one tries to use the already installed software"

> it won’t work, and because we
> don’t have a good way yet to tie *attempts* to access ports to listening
> applications and communicate that to the user, the resulting failure is
> invisible.

Even if we could do that in a secure way, that's not the way we'd want to
implement it.

> On the other hand, if you install something and it starts listening and
> you didn’t know that,

If you install something from Fedora and it does that, then it's a bug in the
application.

> that’s *also* invisible. So, pretty much everyone
> recognizes this as a not ideal situation. Everyone involved in the
> discussion also is concerned with enhancing user security in practice —
> the question is just how to best get there from an imperfect state.
> Originally, the Workstation WG asked to disable the firewall entirely.

That wasn't the Workstation WG, it was earlier, for the Desktop spin.

> FESCo asked instead that it be left available, possibly with a
> less-restrictive out-of-the-box configuration — the path taken for F21.
> 
> If you’re not running Workstation, this doesn’t affect you. If you are,
> and would like a different configuration, run the firewall configuration
> tool and either edit the Fedora Workstation zone or change the default
> zone. (There’s a long list of options, but “public” is a
> generally-restrictive choice.)
> 
> You can also change the per-network zone. Unfortunately currently wired
> networks are all considered as one per interface, but wireless networks
> are distinguished individually. This can be done in a number of ways,
> but the easiest is to run the network configuration tool (in GNOME
> control center — press the overview key and start typing “network”),
> select the wifi network in question, press the little gear icon next to
> it, go down to Identity (?!), and choose the appropriate firewall zone.
> (Again, there’s a long list — go back to the firewall config tool to see
> exactly what they all do.)

Thank you for pointing out the main reason why the zones can't ever be
a user-facing concept ;)

> This is clearly, not the most friendly approach; it’s my understanding
> that the desktop designers, network tools team, and security team are
> going to work together to develop a better overall solution for Fedora
> 22 and beyond.

This was supposed to be the "better overall solution" with the next steps
coming from application sandboxing.

> Overall, the mailing list thread stayed relatively positive and
> constructive and avoided personal attacks, although there were some
> accusations of bad faith actions which do not seem warranted based on
> the actual history.

That could translate as "It wasn't as bad as a systemd flamewar". That's
not a very high standard to set though.