5tFTW: Fedora 21, 22, and 19, firewall discussion, and holiday break

Gerd Hoffmann kraxel at redhat.com
Thu Dec 18 11:31:15 UTC 2014


> > On the other hand, if you install something and it starts listening and
> > you didn’t know that,
> If you install something from Fedora and it does that, then it's a bug in the
> application.

No.  It's you solving your problem with gnome-user-share and declaring
the fallout somebody elses problem so you can safely ignore it.

> > You can also change the per-network zone. Unfortunately currently wired
> > networks are all considered as one per interface, but wireless networks
> > are distinguished individually. This can be done in a number of ways,
> > but the easiest is to run the network configuration tool (in GNOME
> > control center — press the overview key and start typing “network”),
> > select the wifi network in question, press the little gear icon next to
> > it, go down to Identity (?!), and choose the appropriate firewall zone.
> > (Again, there’s a long list — go back to the firewall config tool to see
> > exactly what they all do.)
> Thank you for pointing out the main reason why the zones can't ever be
> a user-facing concept ;)

The fact that the current GUI (and zone naming) sucks big time doesn't
imply that the underlying concept is unusable.  The big advantage of
using firewall zones is that it works outside the gnome universe too.

 (1) Pulling the qemu/kvm vnc server example again, which you decided to
     not respond to last time I mentioned it.  I want the guests vnc
     display be reachable in my home networks and not reachable in
     public networks.  Doing it with the firewall works.

 (2) Heck, even the gnome-user-share UI shows that.  Pick "Remote
     Login", notice that you can NOT select networks for sharing.

Yes, I know why you can't pick networks for ssh.  But this IMO clearly
shows that the "just don't listen on untrusted networks" as distro-wide
policy isn't going to fly.


More information about the devel mailing list