Re: F21 System Wide Change: Workstation: Disable firewall

Wed, 16 Apr 2014 03:45:07 -0700 

On 04/16/2014 02:18 AM, Chuck Anderson wrote:

On Tue, Apr 15, 2014 at 07:28:35PM -0400, Simo Sorce wrote:

On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote:


You have connected to an new network. If this is a public network, you
may want to stop sharing your Music and disable Remote Logins.
[Turn off sharing] [Continue sharing] [Sharing Preferences...]


So if you have 4 different services you gfet flooded with a ton of
questions ?

Sounds like a bad idea.


And we will remember this for when you later reconnect to the same
network.


If you set a *zone* instead then you have to remember only one
association: network -> zone, and you know where to go to change that,
and to change in which zones an application is allowed to listen,
instead of having tens of one offs.


When we have this infrastructure, we can use this information to also
set the network zone to Home/Public - I don't think the long list of
zones I showed above makes any sense. Either you are at home and
comfortable sharing the network, or not.


A long list does not make sense by default, ideally the default is that
you have only 2 zones: trusted/untruuted (you can choose whatever
names), if the users wants more flexibility then they would create new
zones (like home, work, cafe, library, etc..) perhaps by cloning
existing ones and then tweak the list of applications allowed to serve
content in those zones.
It would be better if the association were per-application rather then
nameless ports.


Additionally, some "zones" should be bound to a certain network scope.
Today you could say "Home" or "Trusted" for your RFC1918-behind-NAT
network at home, but tomorrow your ISP could enable IPv6 and all of a
sudden your system connected to that subnet is exposed to the whole
world... So you really need some concept of scope to attach to the
zone so you can only allow connections from within that scope.  The
hard part is how to define that scope.  I believe Windows defaults to
"local subnet" when you choose Home.


For this we need a better integration into NetworkManager. Additionally 
we can not make this work easily with network services. firewalld does 
not take care about the network configuration.


A agree, it would be good to have support for this.
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct


























					Reply via email to