5tFTW: Fedora 21, 22, and 19, firewall discussion, and holiday break

Bastien Nocera bnocera at redhat.com
Thu Dec 18 15:43:15 UTC 2014



----- Original Message -----
> Hi,
> 
> > > On the other hand, if you install something and it starts listening and
> > > you didn’t know that,
> > 
> > If you install something from Fedora and it does that, then it's a bug in
> > the
> > application.
> 
> No.  It's you solving your problem with gnome-user-share and declaring
> the fallout somebody elses problem so you can safely ignore it.

It's in the packaging guidelines that server applications shouldn't auto-start.
It's not like I'm making this up...

> > > You can also change the per-network zone. Unfortunately currently wired
> > > networks are all considered as one per interface, but wireless networks
> > > are distinguished individually. This can be done in a number of ways,
> > > but the easiest is to run the network configuration tool (in GNOME
> > > control center — press the overview key and start typing “network”),
> > > select the wifi network in question, press the little gear icon next to
> > > it, go down to Identity (?!), and choose the appropriate firewall zone.
> > > (Again, there’s a long list — go back to the firewall config tool to see
> > > exactly what they all do.)
> > 
> > Thank you for pointing out the main reason why the zones can't ever be
> > a user-facing concept ;)
> 
> The fact that the current GUI (and zone naming) sucks big time doesn't
> imply that the underlying concept is unusable.  The big advantage of
> using firewall zones is that it works outside the gnome universe too.
> 
>  (1) Pulling the qemu/kvm vnc server example again, which you decided to
>      not respond to last time I mentioned it.

I'm so sorry for missing one line in the 200+ emails from the thread. The firewall
is still there. You can still use it. Which is better than what happens in F20 and
before: 1a) developers disable the firewall because they have better things to do
1b) they switch distributions (when possible) because they have better things to do
2) they can't apply firewall rules to the VMs because the firewall is disabled

>  I want the guests vnc
>      display be reachable in my home networks and not reachable in
>      public networks.  Doing it with the firewall works.

You found a use for the firewall that's still running.

>  (2) Heck, even the gnome-user-share UI shows that.  Pick "Remote
>      Login", notice that you can NOT select networks for sharing.

This isn't gnome-user-share. It's the sharing panel in the control-center. And it's
not there because I wasn't sure whether changing the status quo for this was
1) necessary 2) how to implement it without breaking the setup for administrators if
the user can choose to enable/disable the SSH server themselves.

I don't see how keeping the status quo for one (system-wide) service necessarily
 invalidates the design decisions done for all the other (user-wide) services.

> Yes, I know why you can't pick networks for ssh.  But this IMO clearly
> shows that the "just don't listen on untrusted networks" as distro-wide
> policy isn't going to fly.

I'll implement that if it's all it takes for you to admit that, yes, it's actually
going to fly.


More information about the devel mailing list