Re: F21 System Wide Change: Workstation: Disable firewall
Am 23.04.2014 07:52, schrieb Liam: On Apr 22, 2014 5:09 AM, Christian Schaller wrote: I think this is a misunderstanding of who a developer might be and why they choose a system. Those of my friends and acquaintances, who are developers and who over the years have decided to switch their development laptops from Linux to predominantly MacOS X, has not done so because they had things they wanted to do that was 'impossible' to do with Linux or that they thought they could not figure out how to do with linux. Instead they moved because they got tired of spending time trying to make their system 'work'. This is in no way limited to dealing with the challenges of a firewall, but if we want to attract developers or any kind of user to our system we need to make it usable without needing daily google searches to figure out how you can do something and make parts of your system work. the daily google searches are much more because interfaces are permanently replaced - be it GUI's or CLI interfaces and configurations get invalid due all that replacements - *there* is the problem - what you know today maybe in 3 years as ivalid as what you learend 5 years ago about a Fedora system and whatever you find with Google is quentionable and likely outdated smart replacements whould keep interfaces as they are and only replace the code behind and add some options but not break the semantic The fact of the matter is that there's really no compelling reason for the average web developer, for instance, to move to Linux. Osx is already more powerful than any linux stop that i face every single day the opposite because on the other side of my desk is a OSX machine, terrible slow with the same CPU and a unacceptable usability compared with a recent KDE because you can't do this and that the usability part may be subjectively, the terrible slow is not given both of our machines have the same CPU signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/22/2014 09:17 PM, Russell Doty wrote: On Tue, 2014-04-22 at 15:04 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is only true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Well, the presentation was focused on enterprise systems... But there were some underlying themes: * Users will work around anything, including security features, that interfere with them doing their job. * It is impossible to completely secure a system. A prevention only approach doesn't work well. * An effective security model is built around Deter, Detect, Delay, Respond, Remediate. * Security is one of multiple threats to system integrity. All very true, but you do not remove the Deterrent, just because you have the other 4 layers (which we do *not* have very much in Fedora when it is used as a simple workstation). Absolutely true - the foundation of the stack is Deter. The point is that we can't harden a system enough for Deter alone to be fully effective, so we need to have the complete security model. And you are right. We have a real opportunity to look at an overall people centric approach to security in Fedora. Look at the traditional threat models, look at the people issues, and look at an overall approach to maintaining system integrity. I'd like to see us exploring system integrity in greater depth. This is why people say we need to improve the Firewall experience not raise white flag and disable it. Agree. Unfortunately, the easy way out is to punch so many holes in the default firewall that it doesn't offer much protection... not really true, having the default one allow access only from the local lan at most is a huge improvement rather than no firewall. All you need is a button that lets you select between 3 zones when you join a new network and you have a much better system already, nothing fancy, and the 3 zones correspond to the concepts of: open to everyone (effectively disables any protection) open to the local lan only (what you would select at home/work/trusted network) closed (what you would select in a public place on an untrusted network) This sounds a lot like the Network Manager model. Could this basic firewall configuration be integrated with the Network Manager interface? So that a user sets their security profile one place, and all related system settings and configurations are updated? Please have a look at edit connection in the NetworkManager applet. There have been plans to query for the zone that should be used for a connection before activating this connection for the first time. There are even sketches for this. But as I said before, this has been rejected by the desktop team. Because of this I created firewall-applet, which provides a simple UI to switch zones for connections with NetworkManager and for interface and source bindings. It is quite simple to describe even to a non expert user what these means in general terms. Of course it won't be perfect, but much better than nothing, and much, much friendlier than what we have now. A combination of this and having all commonly used applications configure the firewall when installed/uninstalled looks like a good start, especially from a usability perspective. Simo. -- Simo Sorce * Red Hat, Inc * New York Thomas -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, 2014-04-23 at 11:37 +0200, Thomas Woerner wrote: There have been plans to query for the zone that should be used for a connection before activating this connection for the first time. There are even sketches for this. But as I said before, this has been rejected by the desktop team. There's a proposal to do just this at the bottom of the first post in https://bugzilla.gnome.org/show_bug.cgi?id=727580 Because of this I created firewall-applet, which provides a simple UI to switch zones for connections with NetworkManager and for interface and source bindings. I noticed this when I installed firewalld on Arch, which does not place it in a separate subpackage like Fedora does (Arch prefers vanilla packaging). It's so out of place in GNOME that it makes firewalld really undesirable on Arch. I wonder if it should live in a separate repository? It just doesn't seem like the sort of thing most firewalld users would want by default. signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Apr 23, 2014 4:29 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 23.04.2014 07:52, schrieb Liam: On Apr 22, 2014 5:09 AM, Christian Schaller wrote: I think this is a misunderstanding of who a developer might be and why they choose a system. Those of my friends and acquaintances, who are developers and who over the years have decided to switch their development laptops from Linux to predominantly MacOS X, has not done so because they had things they wanted to do that was 'impossible' to do with Linux or that they thought they could not figure out how to do with linux. Instead they moved because they got tired of spending time trying to make their system 'work'. This is in no way limited to dealing with the challenges of a firewall, but if we want to attract developers or any kind of user to our system we need to make it usable without needing daily google searches to figure out how you can do something and make parts of your system work. the daily google searches are much more because interfaces are permanently replaced - be it GUI's or CLI interfaces and configurations get invalid due all that replacements - *there* is the problem - what you know today maybe in 3 years as ivalid as what you learend 5 years ago about a Fedora system and whatever you find with Google is quentionable and likely outdated smart replacements whould keep interfaces as they are and only replace the code behind and add some options but not break the semantic The fact of the matter is that there's really no compelling reason for the average web developer, for instance, to move to Linux. Osx is already more powerful than any linux stop that i face every single day the opposite because on the other side of my desk is a OSX machine, terrible slow with the same CPU and a unacceptable usability compared with a recent KDE because you can't do this and that the usability part may be subjectively, the terrible slow is not given both of our machines have the same CPU UmmOK I'm speaking about what I see in general and not osx's efficiency but how it is used. Osx provides nice Unix underpinnings, tremendous battery life, hugely vibrant developer ecosystem, and can run many Linux programs. IMHO, the only possible path to those users is to provide a system that helps them do their work more easily. Exactly what that entails I don't know and, without some very targeted questioning, I don't think it likely we'll happen upon the answer. Simply developing the facade of osx, without the sophistication hidden beneath, is a sure way to turn off potential switchers because, currently, we can't offer a comparable experience. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
- Original Message - From: Liam l...@fightingcrane.com To: Development discussions related to Fedora devel@lists.fedoraproject.org Sent: Monday, April 21, 2014 10:10:13 PM Subject: Re: F21 System Wide Change: Workstation: Disable firewall On Apr 21, 2014 4:32 AM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 3:49 AM, Liam l...@fightingcrane.com wrote: Sent from mYphone On Apr 20, 2014 7:02 PM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. The later isn't the target for Workstation, I don't believe. Not the *primary* target but still one see the Other users section in the PRD. -- That's fine, but that's not who we need to be optimizing the experience for. We need to be focusing on our primary target. After that others can be considered. A developer can handle this if it is presented well, but we shouldn't let secondary users harm, at all, the experience of the primary user. If we do, then this reorganization isn't working, IMHO. I think this is a misunderstanding of who a developer might be and why they choose a system. Those of my friends and acquaintances, who are developers and who over the years have decided to switch their development laptops from Linux to predominantly MacOS X, has not done so because they had things they wanted to do that was 'impossible' to do with Linux or that they thought they could not figure out how to do with linux. Instead they moved because they got tired of spending time trying to make their system 'work'. This is in no way limited to dealing with the challenges of a firewall, but if we want to attract developers or any kind of user to our system we need to make it usable without needing daily google searches to figure out how you can do something and make parts of your system work. As a sidenote, there has been a lot of discussions on this an other Fedora lists over the last few Months where people have loudly come out against what they see as infringements on the Freedom part of the four F's. Having seen this thread I am disappointed to see that nobody has come out in defense of the Friends part of the four F's, because the language and tone used by some people on this thread has been beyond pale, accusing the other participants in the thread of stupidity, incompetence and general maliciousness. If this doesn't change maybe the time has come for a board ticket to change that F from Friends to Flames? Christian -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/21/2014 12:22 AM, drago01 wrote: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... So the current default firewall won't protect you against avahi flaws. This has been added only because of a FESCo decision: https://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop * you nor i can say for sure avahi never ever get a critical security update See above. * you nor i can be sure that there is not another network-service is running * even if it is not running by intention it may be running by mistake as default * so after you installed a new system avahi is running and the firewall down See above. * how do you genius install the updates without a network and to *not* have to consider what is safe and what you have to stop after a fresh install before you can plug your machine to the network for install security relevant updates a firewall has to be enabled by default Again you 1) assume that we enable random services by default and the firewall is the only thing that protects freshly installed systems 2) that given the user options that do not work and force him to learn about computer networks to do basic tasks is how things should work both are false. Sure disabling the firewall is not the only way to solve 2) but the silently make things not work i.e the status quo or ask a user questions that he does not understand are no solutions. There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. honestly it's good that you are out of this discussion because you seem to not have you clue about security nor understand the implications of who knows hat he is doing and why the one who don't need sane defaults No the reason is simply that talking to you is very annoying .. you resort to baseless attacks (like the this one) and strawmans. 1: http://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, Apr 22, 2014 at 11:23 AM, Thomas Woerner twoer...@redhat.com wrote: On 04/21/2014 12:22 AM, drago01 wrote: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... So the current default firewall won't protect you against avahi flaws. This has been added only because of a FESCo decision: I know and I didn't claim otherwise (I even cited the same link in my mail) ... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
- Original Message - From: Thomas Woerner twoer...@redhat.com To: devel@lists.fedoraproject.org Sent: Tuesday, April 22, 2014 11:23:46 AM Subject: Re: F21 System Wide Change: Workstation: Disable firewall On 04/21/2014 12:22 AM, drago01 wrote: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... So the current default firewall won't protect you against avahi flaws. This has been added only because of a FESCo decision: https://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop Thank you for digging that ticket up Thomas. I think that ticket mentions something maybe a bit overlooked in this thread so far, Real world security. I recommend everyone following this thread to watch this video of a talk by Russ Doty from Red Hat at this years DevConf in Brno. His talk is about real world security, especially in the context of enterprise computing, but the issues he articulate forms the underlaying challenges of this thread too. I think if everyone here see this talk we could hopefully move this thread into a more constructive format. Christian -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/22/2014 05:43 AM, Christian Schaller wrote: - Original Message - From: Thomas Woerner twoer...@redhat.com To: devel@lists.fedoraproject.org Sent: Tuesday, April 22, 2014 11:23:46 AM Subject: Re: F21 System Wide Change: Workstation: Disable firewall On 04/21/2014 12:22 AM, drago01 wrote: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... So the current default firewall won't protect you against avahi flaws. This has been added only because of a FESCo decision: https://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop Thank you for digging that ticket up Thomas. I think that ticket mentions something maybe a bit overlooked in this thread so far, Real world security. I recommend everyone following this thread to watch this video of a talk by Russ Doty from Red Hat at this years DevConf in Brno. His talk is about real world security, especially in the context of enterprise computing, but the issues he articulate forms the underlaying challenges of this thread too. I think if everyone here see this talk we could hopefully move this thread into a more constructive format. Since you missed the link: https://www.youtube.com/watch?v=jYGgVUYjXQ8 I too recommend that everyone gives it a look. It is very insightful and helpful in understanding what people really do once this gets out the door. Major points: 1) People turn off security features that they can't easily figure out how to tune. 2) Hackers are a significantly smaller security threat than managers (I need it to work now, we can secure it later!) 3) Recovery and auditing are more important than prevention. Those are some of the basics, but it *really* is worth taking the 40 minutes to watch the whole thing. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlNWVRUACgkQeiVVYja6o6NLtACfchzhexg2gcT1q3oQLZXPsLmm IjUAn0lnph51CGi7Xvmpf+nNBaqBRtSW =VZ8i -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
- Original Message - From: Stephen Gallagher sgall...@redhat.com To: devel@lists.fedoraproject.org Sent: Tuesday, April 22, 2014 1:40:05 PM Subject: Re: F21 System Wide Change: Workstation: Disable firewall -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/22/2014 05:43 AM, Christian Schaller wrote: - Original Message - From: Thomas Woerner twoer...@redhat.com To: devel@lists.fedoraproject.org Sent: Tuesday, April 22, 2014 11:23:46 AM Subject: Re: F21 System Wide Change: Workstation: Disable firewall On 04/21/2014 12:22 AM, drago01 wrote: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... So the current default firewall won't protect you against avahi flaws. This has been added only because of a FESCo decision: https://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop Thank you for digging that ticket up Thomas. I think that ticket mentions something maybe a bit overlooked in this thread so far, Real world security. I recommend everyone following this thread to watch this video of a talk by Russ Doty from Red Hat at this years DevConf in Brno. His talk is about real world security, especially in the context of enterprise computing, but the issues he articulate forms the underlaying challenges of this thread too. I think if everyone here see this talk we could hopefully move this thread into a more constructive format. Since you missed the link: https://www.youtube.com/watch?v=jYGgVUYjXQ8 oops, thanks for that, I had the link ready to be pasted, but forgot to actually paste it :) Christian -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Apr 22, 2014 3:05 AM, Christian Schaller cscha...@redhat.com wrote: ... As a sidenote, there has been a lot of discussions on this an other Fedora lists over the last few Months where people have loudly come out against what they see as infringements on the Freedom part of the four F's. Having seen this thread I am disappointed to see that nobody has come out in defense of the Friends part of the four F's, because the language and tone used by some people on this thread has been beyond pale, accusing the other participants in the thread of stupidity, incompetence and general maliciousness. If this doesn't change maybe the time has come for a board ticket to change that F from Friends to Flames? Christian A good point. There's a relative scarcity of discussion on the 'Friends' foundation. In one sense, a relationship moves from acquaintance to friendship when familiarity crosses a threshold. You expect an acquaintance to follow social niceties, but you trust a friend to be honest even at the expense of politeness. Of course we still need a code of conduct, and occasional friendly reminders to cool down and take a walk for a while, but friends should mostly be able to look past choice of language to evaluate message and good intentions. Equating disagreement with antipathy is more detrimental than vitriolic disagreement. We need the 'Friends' foundation to remind us that even in the hottest of flamewars, everyone has good intentions. Sometimes strong language is just a device for making a point. Even the wildest of idiom isn't inherently intended to convey personal disrespect. We need a reminder, especially with contentious issues, not to ignore valid points because they were delivered poorly and not to overvalue perspectives that were shared more politely. --Pete -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Friends foundation [was Re: F21 System Wide Change: Workstation: Disable firewall]
On Tue, Apr 22, 2014 at 05:05:24AM -0400, Christian Schaller wrote: As a sidenote, there has been a lot of discussions on this an other Fedora lists over the last few Months where people have loudly come out against what they see as infringements on the Freedom part of the four F's. Having seen this thread I am disappointed to see that nobody has come out in defense of the Friends part of the four F's, because the language and tone used by some people on this thread has been beyond pale, accusing the other participants in the thread of stupidity, incompetence and general maliciousness. If this doesn't change maybe the time has come for a board ticket to change that F from Friends to Flames? Funny -- I just posted something in defense of Friends a minute before I read this. Yes, this definitely needs more emphasis from everyone, please. That includes taking the be excellent to each other communication guideline seriously, and everyone recognizing that the end goals are the same even if we disagree about how to get there -- people emphasizing freedom *also* want the system to be welcoming and easy to use, and people emphasizing features *also* want free software to win over closed source. As Josh has said a number of times recently, the internet is horrible for actually communicating. Refraining from actively nasty language is obviously the baseline, but also, take time to think about where the person you're talking to is really coming from, and where we can find common ground. -- Matthew Miller-- Fedora Project--mat...@fedoraproject.org Tepid change for the somewhat better! -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-20 22:56 GMT+02:00 Reindl Harald h.rei...@thelounge.net: than just install one of the already available by default unsecure operating systems instead damage Linux and bring it in the same bad shape Note that there *aren't* any major available by default unsecure operating systems nowadays: Windows has the capability of sharing to everyone via DLNA, but also the of concept home/work/public networks and uses it fairly agressively to restrict sharing. OS X doesn't have zones, but sharing services require authentication[1] (which is not *as* resilient as not having the connection open, but much better than allowing possibly anonymous DAAP). Mirek [1] Well, in addition to iTunes home sharing which is authenticated there is also an older, possibly unauthenticated, streaming mechanism. But that's a legacy thing that's more difficult to find and set up than iTunes home sharing. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-20 23:20 GMT+02:00 Lars Seipel lars.sei...@gmail.com: On Thu, Apr 17, 2014 at 11:44:58PM +0200, Miloslav Trmač wrote: We don't, actually. *Only* applications running in a session of a member of the wheel group would have that right, and those applications are pretty much root-equivalent anyway. (Many GNOME users probably use such a setup, but it's not at all the only one possible.) Ugh. This is implemented in PolicyKit? Where was this change discussed/announced and when did it happen? Reinterpreting wheel group membership to give user accounts mighty powers without requiring re-authentication is a pretty major change and probably unexpected for most users. I'm sorry, I was imprecise; it typically does require re-authentication with users' own password, but in X11 that password is available to any malicious program running in the session (e.g. by painting a fake screen lock), so I tend to discount it. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is *only* true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 22.04.2014 19:01, schrieb Miloslav Trmač: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com mailto:sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is /only/ true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. and with *every* recovery you lose unconditional data you can't have perfect backups in real time not containing the issue too sorry, but after working 11 years without a need to recover i say recovery is nice and should be possible, but if you need it regulary you are doing something wrong signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 22 April 2014 05:40, Stephen Gallagher sgall...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Since you missed the link: https://www.youtube.com/watch?v=jYGgVUYjXQ8 I too recommend that everyone gives it a look. It is very insightful and helpful in understanding what people really do once this gets out the door. Major points: 1) People turn off security features that they can't easily figure out how to tune. 2) Hackers are a significantly smaller security threat than managers (I need it to work now, we can secure it later!) 3) Recovery and auditing are more important than prevention. Those are some of the basics, but it *really* is worth taking the 40 minutes to watch the whole thing. Uhm that is basic short-term outlook versus long-term outlook and seems to miss the cost it takes to deal with security before, during and after the effect. While the customer can take the point of view that they will turn off stuff because it gets in their way, we as the development side do not have that luxury. The cost of trying to get security into software or an OS is much much higher if we have to deal with it after the fact. This was a lesson that every OS company had to learn the hard way in the 1990's and early 2000's. The Unix companies had to deal with this in the 1990's when it became clear that the security threat landscape was different on a network than it was on a phone line. Just getting firewalls into the OS was a giant challenge and cost the companies a lot in support issues because it wasn't designed or tested with what they had. Microsoft went through multiple quarters of lost revenue and stock drops because they had to get a working firewall and other security measures that weren't really tested in the firstplace. Apple got away with it by buying an OS (NEXT) which had already gone through the 1990's firewall security and other challenges. They had stuff which was already designed in. To use an example he uses in the lecture... we are building the OS immune system. We can eat dirt during development and make it stronger or we can deal with it later when there is a threat we didn't know about and the OS immune system is screwed later. Saying oh they can turn it on misses the fact that we never thought of how it would affect application Y which we made crucial. -- Stephen J Smoogen. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is only true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Well, the presentation was focused on enterprise systems... But there were some underlying themes: * Users will work around anything, including security features, that interfere with them doing their job. * It is impossible to completely secure a system. A prevention only approach doesn't work well. * An effective security model is built around Deter, Detect, Delay, Respond, Remediate. * Security is one of multiple threats to system integrity. Russ Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is only true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Well, the presentation was focused on enterprise systems... But there were some underlying themes: * Users will work around anything, including security features, that interfere with them doing their job. * It is impossible to completely secure a system. A prevention only approach doesn't work well. * An effective security model is built around Deter, Detect, Delay, Respond, Remediate. * Security is one of multiple threats to system integrity. All very true, but you do not remove the Deterrent, just because you have the other 4 layers (which we do *not* have very much in Fedora when it is used as a simple workstation). This is why people say we need to improve the Firewall experience not raise white flag and disable it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is only true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Well, the presentation was focused on enterprise systems... But there were some underlying themes: * Users will work around anything, including security features, that interfere with them doing their job. * It is impossible to completely secure a system. A prevention only approach doesn't work well. * An effective security model is built around Deter, Detect, Delay, Respond, Remediate. * Security is one of multiple threats to system integrity. All very true, but you do not remove the Deterrent, just because you have the other 4 layers (which we do *not* have very much in Fedora when it is used as a simple workstation). Absolutely true - the foundation of the stack is Deter. The point is that we can't harden a system enough for Deter alone to be fully effective, so we need to have the complete security model. And you are right. We have a real opportunity to look at an overall people centric approach to security in Fedora. Look at the traditional threat models, look at the people issues, and look at an overall approach to maintaining system integrity. I'd like to see us exploring system integrity in greater depth. This is why people say we need to improve the Firewall experience not raise white flag and disable it. Agree. Unfortunately, the easy way out is to punch so many holes in the default firewall that it doesn't offer much protection... Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is only true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Well, the presentation was focused on enterprise systems... But there were some underlying themes: * Users will work around anything, including security features, that interfere with them doing their job. * It is impossible to completely secure a system. A prevention only approach doesn't work well. * An effective security model is built around Deter, Detect, Delay, Respond, Remediate. * Security is one of multiple threats to system integrity. All very true, but you do not remove the Deterrent, just because you have the other 4 layers (which we do *not* have very much in Fedora when it is used as a simple workstation). Absolutely true - the foundation of the stack is Deter. The point is that we can't harden a system enough for Deter alone to be fully effective, so we need to have the complete security model. And you are right. We have a real opportunity to look at an overall people centric approach to security in Fedora. Look at the traditional threat models, look at the people issues, and look at an overall approach to maintaining system integrity. I'd like to see us exploring system integrity in greater depth. This is why people say we need to improve the Firewall experience not raise white flag and disable it. Agree. Unfortunately, the easy way out is to punch so many holes in the default firewall that it doesn't offer much protection... not really true, having the default one allow access only from the local lan at most is a huge improvement rather than no firewall. All you need is a button that lets you select between 3 zones when you join a new network and you have a much better system already, nothing fancy, and the 3 zones correspond to the concepts of: open to everyone (effectively disables any protection) open to the local lan only (what you would select at home/work/trusted network) closed (what you would select in a public place on an untrusted network) It is quite simple to describe even to a non expert user what these means in general terms. Of course it won't be perfect, but much better than nothing, and much, much friendlier than what we have now. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Miloslav Trmač (m...@volny.cz) said: AFAICS this discussion basically says applications can't depend on firewalld, therefore they can't use firewalld APIs, therefore they wouldn't know whether the firewall restircts them, therefore firewalld must be removed. The only given reason why the applications can't depend on firewalld is vague claims that the D-Bus API is somehow unusable, which is clearly false because firewall-cmd is using exactly the same API. Well, just because an API *can* be coded to doesn't make it a good API. It would be great to get more concrete descriptions of where the API fails. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, 2014-04-22 at 15:04 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: 2014-04-22 13:40 GMT+02:00 Stephen Gallagher sgall...@redhat.com: 3) Recovery and auditing are more important than prevention. This is only true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (with the high number of systems and administrators). For individual users auditing is completely pointless, recovery is either impossible or a huge hassle, and prevention the only option. Well, the presentation was focused on enterprise systems... But there were some underlying themes: * Users will work around anything, including security features, that interfere with them doing their job. * It is impossible to completely secure a system. A prevention only approach doesn't work well. * An effective security model is built around Deter, Detect, Delay, Respond, Remediate. * Security is one of multiple threats to system integrity. All very true, but you do not remove the Deterrent, just because you have the other 4 layers (which we do *not* have very much in Fedora when it is used as a simple workstation). Absolutely true - the foundation of the stack is Deter. The point is that we can't harden a system enough for Deter alone to be fully effective, so we need to have the complete security model. And you are right. We have a real opportunity to look at an overall people centric approach to security in Fedora. Look at the traditional threat models, look at the people issues, and look at an overall approach to maintaining system integrity. I'd like to see us exploring system integrity in greater depth. This is why people say we need to improve the Firewall experience not raise white flag and disable it. Agree. Unfortunately, the easy way out is to punch so many holes in the default firewall that it doesn't offer much protection... not really true, having the default one allow access only from the local lan at most is a huge improvement rather than no firewall. All you need is a button that lets you select between 3 zones when you join a new network and you have a much better system already, nothing fancy, and the 3 zones correspond to the concepts of: open to everyone (effectively disables any protection) open to the local lan only (what you would select at home/work/trusted network) closed (what you would select in a public place on an untrusted network) This sounds a lot like the Network Manager model. Could this basic firewall configuration be integrated with the Network Manager interface? So that a user sets their security profile one place, and all related system settings and configurations are updated? It is quite simple to describe even to a non expert user what these means in general terms. Of course it won't be perfect, but much better than nothing, and much, much friendlier than what we have now. A combination of this and having all commonly used applications configure the firewall when installed/uninstalled looks like a good start, especially from a usability perspective. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Apr 22, 2014 5:09 AM, Christian Schaller cscha...@redhat.com wrote: - Original Message - From: Liam l...@fightingcrane.com To: Development discussions related to Fedora devel@lists.fedoraproject.org Sent: Monday, April 21, 2014 10:10:13 PM Subject: Re: F21 System Wide Change: Workstation: Disable firewall On Apr 21, 2014 4:32 AM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 3:49 AM, Liam l...@fightingcrane.com wrote: Sent from mYphone On Apr 20, 2014 7:02 PM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. The later isn't the target for Workstation, I don't believe. Not the *primary* target but still one see the Other users section in the PRD. -- That's fine, but that's not who we need to be optimizing the experience for. We need to be focusing on our primary target. After that others can be considered. A developer can handle this if it is presented well, but we shouldn't let secondary users harm, at all, the experience of the primary user. If we do, then this reorganization isn't working, IMHO. I think this is a misunderstanding of who a developer might be and why they choose a system. Those of my friends and acquaintances, who are developers and who over the years have decided to switch their development laptops from Linux to predominantly MacOS X, has not done so because they had things they wanted to do that was 'impossible' to do with Linux or that they thought they could not figure out how to do with linux. Instead they moved because they got tired of spending time trying to make their system 'work'. This is in no way limited to dealing with the challenges of a firewall, but if we want to attract developers or any kind of user to our system we need to make it usable without needing daily google searches to figure out how you can do something and make parts of your system work. The fact of the matter is that there's really no compelling reason for the average web developer, for instance, to move to Linux. Osx is already more powerful than any linux de (automator is something that is used often and it represents a considerably more powerful, and friendly, alternative to scripting in many instances). I'm honestly not sure how to get those folks unless osx makes it harder for professionals to do their work (supposedly their multimonitor support has worsened, but I can't confirm that). Making sane defaults, which is what we are talking about, isn't antithetical to providing an easy way for people to make changes (say, to fonts, or power settings with better granularity since, sometimes, the heuristic simply doesn't work). Specifically with regards to the current issue, others have already brought up the solution (carefully constructed zones). Along with that the firewalld gui needs to be refactored a bit, both to make it easier to diagnose problems and implement solutions. That's a decent amount of work, and perhaps no one will do it, but simply disabling functionality isn't the path to grabbing the users/contributors we want, imho. Best/Liam -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 21.04.2014 06:17, schrieb Orcan Ogetbil: On Sun, Apr 20, 2014 at 6:59 PM, drago01 drag...@gmail.com wrote: There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, Why not? I lock my door every night before I go to sleep, because I learned about home security. I am neither a mayor nor a police officer. well said! that's the attitude we need these days instead things are going bad each day but we give up and tell anybody he don't need to learn anything about security in the world we live anybody REALLY NEEDS basic knowledge about computer security or he will pay it sooner or later with his money and/or lost data, that get's proven every week multiple times and pretend the opposite has only two possibilities: * maliciousness (fun about see the noobs falling) * ignorance from the viewpoint of a user falling sooner or later because it was told to him he does not need to know it's maliciousness and i would compare it with telling a blind man you can go sir the traffic lights are green while they are red signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Mon, Apr 21, 2014 at 6:17 AM, Orcan Ogetbil oget.fed...@gmail.com wrote: On Sun, Apr 20, 2014 at 6:59 PM, drago01 drag...@gmail.com wrote: There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, Why not? Because for those people a computer is just a tool. I lock my door every night before I go to sleep, because I learned about home security. No you don't do it because you learned about home security (I do not know if you did or not this is not the point), but because it is common sense to do so. That is comparable to using a password which user do use. Also where do you draw a line? The user have to know what sockets and ports are? How computer networks generally work? Learn about subnets and routes? How process and file privileges work? Learn about file caps? SELinux labels and there meanings? Which requires understand what syscalls are and how they work. Learn and study the mathematics behind cryptography to chose the right algorithm? Understand how and why buffer, heap and integer overflows can affect there security? Which requires knowlegde of the underlying architecture (x86 / x86_64) along with how memory allocation works, how data is placed out on the stack / heap ... Learn how to modify or write a selinux policy to confine an untrusted application? [...] I did learn those things so did probably you and Harald but designing an operating system that requires deep technical understanding to be used is just a failure on our part. What seems easy and obvious to people on a *operating system development mailing list* is not for the general public (believe it or not that's a fact). And no that's not because people are stupid. They just have different professions and interests. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Mon, Apr 21, 2014 at 3:49 AM, Liam l...@fightingcrane.com wrote: Sent from mYphone On Apr 20, 2014 7:02 PM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. The later isn't the target for Workstation, I don't believe. Not the *primary* target but still one see the Other users section in the PRD. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 21.04.2014 10:25, schrieb drago01: I did learn those things so did probably you and Harald but designing an operating system that requires deep technical understanding to be used is just a failure on our part you don't get it - ship dangerous defaults is just a failure on our part the user don't need to learn all the details he needs only three choices * share for everyone inclduing the internt * share only for the local network * don't share for the network at all because it's used for plying on localhost and while this *really* needed question is shown there should be a link provided to read more about the differences What seems easy and obvious to people on a *operating system development mailing list* is not for the general public (believe it or not that's a fact). And no that's not because people are stupid. They just have different professions and interests explain that to them after damage happened with oh i thought we should not bother you because we think you have different professions signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Mon, Apr 21, 2014 at 10:50 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 21.04.2014 10:25, schrieb drago01: I did learn those things so did probably you and Harald but designing an operating system that requires deep technical understanding to be used is just a failure on our part you don't get it - ship dangerous defaults is just a failure on our part the user don't need to learn all the details he needs only three choices * share for everyone inclduing the internt * share only for the local network * don't share for the network at all because it's used for plying on localhost Yes we should provide those choices which is what I am saying making this choice should not (and does not) require the knowledge about networking nor how to configure the firewall. The tool that configures the sharing should do that for the user. The user should not have to mess around with firewalls, network ports and interfaces himself. and while this *really* needed question is shown there should be a link provided to read more about the differences What seems easy and obvious to people on a *operating system development mailing list* is not for the general public (believe it or not that's a fact). And no that's not because people are stupid. They just have different professions and interests explain that to them after damage happened with oh i thought we should not bother you because we think you have different professions You missed the point again. Did you read the scientific papers I have pointed you at? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 21.04.2014 11:13, schrieb drago01: On Mon, Apr 21, 2014 at 10:50 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 21.04.2014 10:25, schrieb drago01: I did learn those things so did probably you and Harald but designing an operating system that requires deep technical understanding to be used is just a failure on our part you don't get it - ship dangerous defaults is just a failure on our part the user don't need to learn all the details he needs only three choices * share for everyone inclduing the internt * share only for the local network * don't share for the network at all because it's used for plying on localhost Yes we should provide those choices which is what I am saying making this choice should not (and does not) require the knowledge about networking nor how to configure the firewall. you need at least to understand the difference between internet and a local network to make this decision or chose internet needs to be harder then local network to not open samba by accident my *real* problem is that this dumb proposal Disable firewall is still not rejected and whoever made it that way banned the next 12 months from making proposals affecting the whole distribution The tool that configures the sharing should do that for the user. The user should not have to mess around with firewalls, network ports and interfaces himself. and while this *really* needed question is shown there should be a link provided to read more about the differences What seems easy and obvious to people on a *operating system development mailing list* is not for the general public (believe it or not that's a fact). And no that's not because people are stupid. They just have different professions and interests explain that to them after damage happened with oh i thought we should not bother you because we think you have different professions You missed the point again. Did you read the scientific papers I have pointed you at? that scientific papers are self prophecy bullshit if you often enough tell people they need not to know this and that and later go out and ask them are you interested in this and that what do you think will the answer be? signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Mon, Apr 21, 2014 at 4:25 AM, drago01 wrote: On Mon, Apr 21, 2014 at 6:17 AM, Orcan Ogetbil wrote: On Sun, Apr 20, 2014 at 6:59 PM, drago01 wrote: There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, Why not? Because for those people a computer is just a tool. Sure. Please define just a tool. I suspect we are talking about different things. I lock my door every night before I go to sleep, because I learned about home security. No you don't do it because you learned about home security (I do not know if you did or not this is not the point), but because it is common sense to do so. That is comparable to using a password which user do use. Also where do you draw a line? Hmm, if you didn't like the password analogy, let me tell you this: I also shut my windows or other points of entry. And yes, I learned it. I even taught it to some other people so that they don't learn it the hard way. I don't need to know about the woodwork, the construction details of the mechanical parts, sodium oxide content of the glass. I don't need to know about its assembly. I just need to know how to shut the windows and open them up when I need to. If my neighbor keeps all the windows open because he doesn't know how to shut them, he'll be in trouble. The user have to know what sockets and ports are? Yes. Best, Orcan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Apr 21, 2014 4:32 AM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 3:49 AM, Liam l...@fightingcrane.com wrote: Sent from mYphone On Apr 20, 2014 7:02 PM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. The later isn't the target for Workstation, I don't believe. Not the *primary* target but still one see the Other users section in the PRD. -- That's fine, but that's not who we need to be optimizing the experience for. We need to be focusing on our primary target. After that others can be considered. A developer can handle this if it is presented well, but we shouldn't let secondary users harm, at all, the experience of the primary user. If we do, then this reorganization isn't working, IMHO. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Christian Schaller wrote: where we at the same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works. Such things MUST NOT be enabled by default. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Jaroslav Reznik wrote, on behalf of Matthias Clasen: The firewalld service will not be enabled by default in the workstation product. WTF? So we're going to disable security by default? We are forcing such a PITA as SELinux that breaks applications on all users by default, yet we will let systems wide open for remote exploitation? That just does not make any sense. The most effective way to prevent intrusions is to not let intruders into the system at all. == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. Additionally, the set of zones that we currently expose is excessive and not user-friendly. Therefore, we will disable the firewall service while we are working on a more user- friendly way to deal with network-related privacy issues. If firewall-config from firewalld is too complicated, drop back to the good old static iptables wrapper service and system-config-firewall. That was simple and straightforward and just worked. It will of course still be possible to enable the firewall manually. Too late if the system already got remotely rooted by the time the admin gets around to enabling the firewall. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler kevin.kof...@chello.at wrote: Christian Schaller wrote: where we at the same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works. Such things MUST NOT be enabled by default. No one suggested that. Currently the user enables them and they do not work until after he/she disables the firewall. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 20.04.2014 20:19, schrieb drago01: On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler kevin.kof...@chello.at wrote: Christian Schaller wrote: where we at the same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works. Such things MUST NOT be enabled by default. No one suggested that. Currently the user enables them and they do not work until after he/she disables the firewall wrong - until he *configures* the firewall to open the needed ports if that can't be half-automated with confirmation in any case even open the ports full automated should be strongly prohibited because taking away the users control is *not* why Linux as project was staretd - there are enough other blackbox systems i doubt that *any* software on this planet needs the firewall to be completly disbaled and if such crap was written because using random ports for no good reason it has no existence authority there is *no single* valid reason to disable the firewall as default in 2014 period and if there are applications which needs manual configuration from the user then lead him to the needed documentation or remove that completly from the distribution anybody thinking in 2014 install a OS with a disabled firewall must have lived below a stone the last decade and should not be permitted to make decisions affecting the enduser and honestly the above was said as nice as possible, maybe even too nice signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Sun, Apr 20, 2014 at 10:15 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 20.04.2014 20:19, schrieb drago01: On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler kevin.kof...@chello.at wrote: Christian Schaller wrote: where we at the same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works. Such things MUST NOT be enabled by default. No one suggested that. Currently the user enables them and they do not work until after he/she disables the firewall wrong - until he *configures* the firewall If that knowledge is present sure. If it isn't then either this shit does not work or the user will somehow find out that it is caused by the firewall and try to disable it. to open the needed ports if that can't be half-automated with confirmation in any case even open the ports full automated should be strongly prohibited The user did chose to share data ... configure the firewall to allow it automatically should not be strongly prohibited because the user have chosen to share the data. Showing him information that the data would be shared to everyone on this network is fine but as soon as you go into implementation details and talk about ports you lost the user and he/she will just click yes/ok/continue ... because taking away the users control is *not* why Linux as project was staretd Again strawman .. its not about taking control from the user (you still can control the firewall settings), but let the computer do work in an automated way for the user i.e why computers have been created. i doubt that *any* software on this planet needs the firewall to be completly disbaled and if such crap was written because using random ports for no good reason it has no existence authority No it does indeed not *need* to be completely disabled but apps should not open random ports without any reason to begin with (we should not ship those and we have a rule to not enable network facing services by default despite of the firewall). -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 20.04.2014 22:44, schrieb drago01: On Sun, Apr 20, 2014 at 10:15 PM, Reindl Harald h.rei...@thelounge.net wrote: Am 20.04.2014 20:19, schrieb drago01: On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler kevin.kof...@chello.at wrote: Christian Schaller wrote: where we at the same time need to allow each user to have any port they desire opened for traffic to make sure things like DLNA or Chromecast works. Such things MUST NOT be enabled by default. No one suggested that. Currently the user enables them and they do not work until after he/she disables the firewall wrong - until he *configures* the firewall If that knowledge is present sure and disable it hence the knowledge is not there is the Apple way do you really think the marekt share of linux will explode if we provide unsecure defaults? i doubt If it isn't then either this shit does not work or the user will somehow find out that it is caused by the firewall and try to disable it or try to get the knowledge to configure it in any case the user decides instead blame Fedora for the damaga done with insecure defaults to open the needed ports if that can't be half-automated with confirmation in any case even open the ports full automated should be strongly prohibited The user did chose to share data ... configure the firewall to allow it automatically should not be strongly prohibited because the user have chosen to share the data. Showing him information that the data would be shared to everyone on this network is fine but as soon as you go into implementation details and talk about ports you lost the user and he/she will just click yes/ok/continue ... yes the user did click share data and you really think he also meant share data to the whole internet? because taking away the users control is *not* why Linux as project was staretd Again strawman .. its not about taking control from the user (you still can control the firewall settings) you refuse to understand security basics after you booted the new installed machine and open ports of possible vulnerable services which needs updatdes it is *too late* to enable the firewall for preventing already happened damaged but let the computer do work in an automated way for the user i.e why computers have been created *that* is a strawman some people think computer needs to be that easy to handle like a microwave - but the same people refuse to understand that a computer is way more complex don't you think there is a reason for get a driver license before you are allowed to enter a public street? i doubt that *any* software on this planet needs the firewall to be completly disbaled and if such crap was written because using random ports for no good reason it has no existence authority No it does indeed not *need* to be completely disabled but apps should not open random ports without any reason to begin with (we should not ship those and we have a rule to not enable network facing services by default despite of the firewall) but this damned proposal is about *completly disable it* did you read the OP? did you try to understand it? in simple words it means because we are currently unsure how to provide secure defaults while not block enabled services we give up and throw away security at all because we prefer anything working out of the box without minimal understanding of the user what he is doing over security than just install one of the already available by default unsecure operating systems instead damage Linux and bring it in the same bad shape - there are enough Linux users which chosed the OS because it's by default configured in a secure way and that is what users expect in 2014 signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Thu, Apr 17, 2014 at 11:44:58PM +0200, Miloslav Trmač wrote: We don't, actually. *Only* applications running in a session of a member of the wheel group would have that right, and those applications are pretty much root-equivalent anyway. (Many GNOME users probably use such a setup, but it's not at all the only one possible.) Ugh. This is implemented in PolicyKit? Where was this change discussed/announced and when did it happen? Reinterpreting wheel group membership to give user accounts mighty powers without requiring re-authentication is a pretty major change and probably unexpected for most users. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Guys, 1st April was a long time ago, stop this kind of stupidity. How in the earth would be a good idea to have the firewall disabled by default? I mean you're all graduate from college/university, right? You have the capacity to think, am I right? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Sun, Apr 20, 2014 at 10:56 PM, Reindl Harald h.rei...@thelounge.net wrote: after you booted the new installed machine and open ports of possible vulnerable services which needs updatdes it is *too late* to enable the firewall for preventing already happened damaged Do you even know how backwards that reads? If you really know what you are doing you do *not* enable network facing services without installing updates first. Anyway I am out of this discussion. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Sun, Apr 20, 2014 at 11:20 PM, Lars Seipel lars.sei...@gmail.com wrote: On Thu, Apr 17, 2014 at 11:44:58PM +0200, Miloslav Trmač wrote: We don't, actually. *Only* applications running in a session of a member of the wheel group would have that right, and those applications are pretty much root-equivalent anyway. (Many GNOME users probably use such a setup, but it's not at all the only one possible.) Ugh. This is implemented in PolicyKit? Where was this change discussed/announced and when did it happen? Reinterpreting wheel group membership to give user accounts mighty powers without requiring re-authentication is a pretty major change and probably unexpected for most users. I can't recall when this happened but it was done to not have two ways to define user with more privileges -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 20.04.2014 23:44, schrieb drago01: On Sun, Apr 20, 2014 at 10:56 PM, Reindl Harald h.rei...@thelounge.net wrote: after you booted the new installed machine and open ports of possible vulnerable services which needs updatdes it is *too late* to enable the firewall for preventing already happened damaged Do you even know how backwards that reads? If you really know what you are doing you do *not* enable network facing services without installing updates first I KNOW WHAT I AM DOING - THE POOR USER WITH INSECURE DEFAULTS DON'T that is exactly the poor guy for wich the firewall should be disabled in default installs to not overload his brain with a firewall don't you realize how pervert your conclusion is? Anyway I am out of this discussion you simply refuse to understand what i am saying * there are network services enabled by default * avahi is one of them * you nor i can say for sure avahi never ever get a critical security update * you nor i can be sure that there is not another network-service is running * even if it is not running by intention it may be running by mistake as default * so after you installed a new system avahi is running and the firewall down * how do you genius install the updates without a network and to *not* have to consider what is safe and what you have to stop after a fresh install before you can plug your machine to the network for install security relevant updates a firewall has to be enabled by default honestly it's good that you are out of this discussion because you seem to not have you clue about security nor understand the implications of who knows hat he is doing and why the one who don't need sane defaults signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... So the current default firewall won't protect you against avahi flaws. * you nor i can say for sure avahi never ever get a critical security update See above. * you nor i can be sure that there is not another network-service is running * even if it is not running by intention it may be running by mistake as default * so after you installed a new system avahi is running and the firewall down See above. * how do you genius install the updates without a network and to *not* have to consider what is safe and what you have to stop after a fresh install before you can plug your machine to the network for install security relevant updates a firewall has to be enabled by default Again you 1) assume that we enable random services by default and the firewall is the only thing that protects freshly installed systems 2) that given the user options that do not work and force him to learn about computer networks to do basic tasks is how things should work both are false. Sure disabling the firewall is not the only way to solve 2) but the silently make things not work i.e the status quo or ask a user questions that he does not understand are no solutions. There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. honestly it's good that you are out of this discussion because you seem to not have you clue about security nor understand the implications of who knows hat he is doing and why the one who don't need sane defaults No the reason is simply that talking to you is very annoying .. you resort to baseless attacks (like the this one) and strawmans. 1: http://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 21.04.2014 00:22, schrieb drago01: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald h.rei...@thelounge.net wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. please stop to prove even more that you have no clue of security a firewall and security layers are to prevent from *UNKNOWN* mistakes in the future they are to prevent expose network services to the WAN which most likely are intented for the local netwotk by the user (SMB and so on) hope that the ISP is blocking incoming SMB connections from the WAN is not enough * file bugs don't help in that context * the damned ISO image don't get fixed * even if it is replaced it takes way too long * the already existing setups are insecure If you really know what you are doing you do *not* enable network facing services without installing updates first was honestly enough to prove your missing understanding of the ordinary user because the ordinary users install his OS and starts whatever he wants to do with his computer - thinking that the first he does before start network aware services is too seek for security updates is laughable to say it in nice words * avahi is one of them You keep listing this as an example but avahi is not only installed and enabled by default but also allowed configured to work in the default firewall setup since F18 [1] ... bad enough So the current default firewall won't protect you against avahi flaws. * you nor i can say for sure avahi never ever get a critical security update See above. see above * you nor i can be sure that there is not another network-service is running * even if it is not running by intention it may be running by mistake as default * so after you installed a new system avahi is running and the firewall down See above there is nothing to read above you don't understand what a safe default means you even refuse try to understand it which is horrible in 2014 * how do you genius install the updates without a network and to *not* have to consider what is safe and what you have to stop after a fresh install before you can plug your machine to the network for install security relevant updates a firewall has to be enabled by default Again you 1) assume that we enable random services by default and the firewall is the only thing that protects freshly installed systems 2) that given the user options that do not work and force him to learn about computer networks to do basic tasks is how things should work both are false. for you not for people care about default security Sure disabling the firewall is not the only way to solve 2) but the silently make things not work i.e the status quo or ask a user questions that he does not understand are no solutions. until you come up with better ones they are disable the firewall is no solution There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense your if you are know what you are doing you don't does not make sense the user knowing whate he is doing don't need hand holding in any case we are talking about terrible defaults honestly it's good that you are out of this discussion because you seem to not have you clue about security nor understand the implications of who knows hat he is doing and why the one who don't need sane defaults No the reason is simply that talking to you is very annoying most of the time talking to people with a clue what they are talking about is annoying - well, there are two choices. try to understand what they are talking about or keep annoyed you resort to baseless attacks (like the this one) and strawmans. 1: http://fedoraproject.org/wiki/Features/AvahiDefaultOnDesktop well, maybe Avahi is a bad example because the major mistake in that case already happened, but that's a weak excuse to make more wrong decisions and throw the whole security of the distribution in a default setup away signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. As for filling bugs because its broken even if it is not (obviously) exploitable because security mechanisms (firewall, selinux, nx, ...) are in place does not mean that we should not fix them.. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 21.04.2014 00:59, schrieb drago01: On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) if we talk about security business it is still wrong but somehow acceptable - the problem you refuse to understand is that install and start a service does not mean it should be reachable from the network without confirmation if somebody installs httpd on his developer workstation it does not mean he wants to open the service for any machine but localhost as example - the opposite is true because due development it's most likely unsecure whatever runs there Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. that's not nonsense - that's the truth you can accept that or put your head in the sand at the end of the day any user pulling a network cable into his machine or connect to a open WLAN will sooner or later get troubles - the question is not if, the only question is how much time it takes There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family and since you don't know who is on front of a new installed machine the defaults needs to be secure The latter should not have to learn about computer security to do it i doubt he will be thankful for sharing his music to the whole internet by default after he get jailed while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. but they may make decisions based on this distribution has insane and insecure defaults, better take a different one As for filling bugs because its broken even if it is not (obviously) exploitable because security mechanisms (firewall, selinux, nx, ...) are in place does not mean that we should not fix them surely we should fix them but your because security mechanisms (firewall) is pervert in a thread with the subject disable firewall for me personally that all as most of other Fedora decisions don't matter because i get paied for secure networks and invent network wide defaults with no care what the distributions ones are - but that's not the typical users and that is why i refuse to understand such insane proposals like we don't know how to handle usability and firewall and so we disable the firewall signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Sent from mYphone On Apr 20, 2014 7:02 PM, drago01 drag...@gmail.com wrote: On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald h.rei...@thelounge.net wrote: There have been other suggestions in this thread that are helpful like the network zones thing (but we still have too many zones) or enabling services should make them work i.e just enable the firewall rules. which make sense Oh finally you seem to understand what this is all about (a few mails ago this was supposed to be strongly prohibited ...) Now please goolge for Psychological Acceptability and Security you will find tons of scientific papers (read them) explaining about why it is wrong to silently break stuff or ask yes / no question or arguing with this is not a blackbox the user should learn nonsense. There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, while for the former it does not matter that much as you said because they ought to know what to do or where to get that information from. The later isn't the target for Workstation, I don't believe. Since we can assume more knowledge of the user given our mandate we don't have to be quite so careful with what we expose. Of course the firewalld GUI still needs work, along with the way Zones are currently setup, but disabling those things makes no sense considering who we're targeting. Why optimize for users we don't have against those we do (or want)? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Sun, Apr 20, 2014 at 6:59 PM, drago01 drag...@gmail.com wrote: There is difference between a software developer, a sysadmin and a user that simply wants to share his music with his family. The latter should not have to learn about computer security to do it, Why not? I lock my door every night before I go to sleep, because I learned about home security. I am neither a mayor nor a police officer. Orcan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 01:11 AM, William Brown wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different zones that the user can configure and associate to networks, with the default being that you trust nothing and everything is firewalled when you roam a new network. We have that already with zones in firewalld. Kindof. If I open the network panel and find the 'Firewall zone' combo, I am presented with a choice of: Default block dmz drop external home internal public trusted work This list is far too long, and none of it is translated or even properly capitalized. And there is no indication at all why one would choose any zone over any other, and what consequences it has. Agreed Perhaps shorten to: block public work home Oh yes. And when accompanied by a short explanation of what happens (how much is shared/blocked, what you may need to do manually to override the settings if setting up a service etc.), I think the user experience leaves little to be desired. The other network zone names really seem targeted at servers. Maybe each zone needs an attr that states if it's a workstation zone or not to determine if it joins this list? So, what you have currently is a raw bit of infrastructure that is directly exposed to the end user, without any design or integration. Additionally, the command line syntax to manage firewalld is obscene. (maybe slightly off topic ...) firewall-cmd --zone=foo --add-port=12345/tcp --permanent It doesn't autocomplete in bash either (zsh at least prefills the -- and gives you some options, but it's not great) At least for the power user on a workstation, fixing this syntax to at the minimum remove all the -- would be great. Follow that by nm-cli style short hand, and I would be a happy person. You could do: firewalld-cmd z=foo a-p=12345/tcp perm Because this syntax is hard I think that it even excludes power users from wanting to make their firewall work on their system. I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. What I envision is that we will notify the user when we connect to a new network, with a message along the lines of: You have connected to an new network. If this is a public network, you may want to stop sharing your Music and disable Remote Logins. [Turn off sharing] [Continue sharing] [Sharing Preferences...] And we will remember this for when you later reconnect to the same network. Why not set the firewall zone when you join the network? And the above prompts alter that currently active zone? I've filed a bug for this: https://bugzilla.gnome.org/show_bug.cgi?id=727580 Matthias -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 09:32 AM, Simo Sorce wrote: On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: On 04/15/2014 09:31 AM, Simo Sorce wrote: On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: I keep thinking that, if I had unlimited time, I'd write a totally different kind of firewall. It would allow some policy (userspace daemon or rules loaded into the kernel) to determine when programs can listen on what sockets and when connections can be accepted on those sockets. This avoids the attack surface of iptables, it will be faster, it can cause programs to actually report errors if you want them to, and it could be a lot easier to configure. Wouldn't it be great if, when you start some program that wants to listen globally, your system could prompt you and ask whether it was okay, even if that program didn't know about firewalld? I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. We can hint that a cafe wifi is usually not trusted and users should say no, or perhaps we do not even ask and default to untrusted on open wifi networks, and only ask on secured networks (this would be my preference). Didn't mean to accuse you of saying that. I do like the idea of asking if you are on a trusted network. %99.999 will answer yes, and be aggravated. Setting up a rule that says app XYZ is allowed to open certain ports would be a great step forward. But there would need to be a provable way to guarantee that only the XYZ application is able to open those ports. You could do this with SELinux, but we would need to transition user apps to certain domains, but we would need to run users with a confined domain, and stop disabling SELinux... I think we can do this in steps, I certainly agree with the long term goal. Simo. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Thu, 17 Apr 2014, Daniel J Walsh wrote: Didn't mean to accuse you of saying that. I do like the idea of asking if you are on a trusted network. For DNS issues we have similar issues. A sane default seems to be that if you plugin a cable or you enter wifi WPA(2) details, you are trusting the network you are connecting to per default. (with NM override options for corner cases like using WPA2 on your phone as hotspot but you don't trust the telco network) Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 17.04.2014 18:26, schrieb Paul Wouters: On Thu, 17 Apr 2014, Daniel J Walsh wrote: Didn't mean to accuse you of saying that. I do like the idea of asking if you are on a trusted network. For DNS issues we have similar issues. A sane default seems to be that if you plugin a cable or you enter wifi WPA(2) details, you are trusting the network you are connecting to per default. (with NM override options for corner cases like using WPA2 on your phone as hotspot but you don't trust the telco network) by plugin a cable you trust the network? seriously? you may live in a world with only wireless clients and that's why plugin a cable is something special that it only happens at your home network - i can tell for sure that's not really true you have to be *asked* if you trust that network and no i do not buy the argumentation the user anyways says yes because even don't ask shoots also the one which would think about or say no for good reasons signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Thu, 2014-04-17 at 12:26 -0400, Paul Wouters wrote: For DNS issues we have similar issues. A sane default seems to be that if you plugin a cable or you enter wifi WPA(2) details, you are trusting the network you are connecting to per default. (with NM override options for corner cases like using WPA2 on your phone as hotspot but you don't trust the telco network) Ah, that would make everything too easy. :( For WPA Enterprise networks, of course. But a WPA PSK network is as likely to be a trusted home network as it is a coffee shop that puts on a password so that you have to be inside to see the password on a flier or something, or a university network open to thousands of people. Asking seems safest. But another danger: if I am at home but my computer is not behind a personal router with a NAT, do I select Home or Public? The average user does not know and will pick Home. A prompt to select a network zone needs to be carefully thought out to make it less likely that the user picks wrong. signature.asc Description: This is a digitally signed message part -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-15 15:59 GMT+02:00 Michael Catanzaro mcatanz...@gnome.org: On Tue, 2014-04-15 at 14:35 +0200, Zbigniew Jędrzejewski-Szmek wrote: What needs to be done to improve the firewall integration? Zbyszek The rule in the Workstation technical spec is: A firewall in its default configuration may not interfere with the normal operation of programs installed by default. [1] There's a discussion on the desktop list beginning at [2] that has some brainstorming and explanation as to why this would be hard. [1] https://fedoraproject.org/wiki/Workstation/Technical_Specification#Firewall [2] https://lists.fedoraproject.org/pipermail/desktop/2014-February/009142.html For the benefit of keeping everything on this list: AFAICS this discussion basically says applications can't depend on firewalld, therefore they can't use firewalld APIs, therefore they wouldn't know whether the firewall restircts them, therefore firewalld must be removed. The only given reason why the applications can't depend on firewalld is vague claims that the D-Bus API is somehow unusable, which is clearly false because firewall-cmd is using exactly the same API. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Hello, Just some clarifications so that we are all on the same page; those don't significantly affect the larger discussion though... 2014-04-15 17:40 GMT+02:00 Andrew Lutomirski l...@mit.edu: Can someone explain what threat is effectively mitigated by a firewall on a workstation machine? Here are some bad answers: snip - WebRTC, VOIP, etc. issues? These use NAT traversal techniques that are specifically designed to prevent your firewall from operating as intended. That's imprecise; NAT traversal techniques are designed to allow a *specific* counterparty through the firewall, not everyone on the Internet like disabling the firewall would do. - DLNA / Chromecast / whatever: wouldn't it be a lot more sensible for these things to be off until specifically requested? That would be about equivalent to controlling them only via a firewall. Who actually uses a so-called zone UI correctly to configure them? Who actually uses any other UI correctly to configure sharing zones?—nobody because there apparently isn't any. Firewalld has a zone implementation that can be improved upon. How about having an API where things like DLNA can simply not run until you're connected to your home network? Firewalld has a zone implementation that can be improved upon. Also, having a firewall on exposes you to a huge attack surface in iptables, and it doesn't protect against attacks targeting the kernel's IP stack. *Nothing* will ever protect you against attacks targetting the kernel's IP sack, that's a strawman. And the entire premise of a firewall is that the attack surface of the firewall (iptables in this case) is smaller than the attack premise of applications behind; intuitively it's very likely to be true, and AFAICT it's also been true historically. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-15 18:13 GMT+02:00 Andrew Lutomirski l...@mit.edu: Example: user installs software X... but oops, they didn't realize it was going to listen on port Y but that's okay, because no firewall rule has been enabled to allow traffic on port Y, so the user is secure. This sounds like a problem that should be separately fixed. Well, yes, but then *we really need to be 100% sure we have fixed it*. See also your own report that installing gnome-boxes pulls in running services with open ports. With firewalls, a service, system or otherwise, can be in one of three states: a) listening w/ firewall open, b) listening w/ firewall closed, c) and not listening. d) not listening, actively opening connections to the outside, and sending users' private data over there, or receiving commands from there to send arbitrary data. Just so we are clear on the relative threat levels, malicious applications (if you are lucky, only collecting data for the purpose of advertising) are so frequent nowadays that *they* are the primary threat of unwanted network communication, perhaps comparable only to automated ssh password guessing bots. Linux has so far been lucky in not having enough third-party applications for this to be a threat yet, but Workstation intends that to change. (And no, a firewall won't help you at all for d) ). I keep thinking that, if I had unlimited time, I'd write a totally different kind of firewall. It would allow some policy (userspace daemon or rules loaded into the kernel) to determine when programs can listen on what sockets and when connections can be accepted on those sockets. Similarly, ports (what I assume you mean) are getting less and less important nowadays. So much happens multiplexed over HTTP, and there are various zero-config browsing/advertising mechanisms that don't require use of fixed ports, only the privilege to advertise a port through the browsing mechanism. Wouldn't it be great if, when you start some program that wants to listen globally, your system could prompt you and ask whether it was okay, even if that program didn't know about firewalld? In general (assuming unknown software and not just specific 3 services that can be individually handled in control-center, or software specifically adjusted by Fedora to know about firewalld), no. I have no idea what the program is going to send over that connection, so I don't know how to answer, and the program can send the same data through an outgoing connection without ever interacting with the restricted listening functionality; I simply must trust the author of that program—or to prevent the program from accessing my data at all, and then the answer doesn't matter. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-15 22:49 GMT+02:00 Matthias Clasen mcla...@redhat.com: (firewalld features) So, what you have currently is a raw bit of infrastructure that is directly exposed to the end user, without any design or integration. That's *precisely* what the underlying infrastructure should do, isn't it? It's up to the UI projects like GNOME or Cockpit to provide design and integration. What I envision is that we will notify the user when we connect to a new network, with a message along the lines of: You have connected to an new network. This might be a misunderstanding, so just to be explicit: As written, that's too late. This user's decisions must happen *before* any traffic is possible and the user has connected. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-16 1:28 GMT+02:00 Simo Sorce s...@redhat.com: if the users wants more flexibility then they would create new zones (like home, work, cafe, library, etc..) perhaps by cloning existing ones and then tweak the list of applications allowed to serve content in those zones. It would be better if the association were per-application rather then nameless ports. firewalld has a concept of services, so the port numbers don't need to, and *shouldn't*, appear in UIs. It still might make sense to discuss a true per-*application* privileges (e.g. Empathy is allowed to listen on any port), but only after we get reliable application isolation. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Hello, 2014-04-16 14:28 GMT+02:00 Josh Boyer jwbo...@fedoraproject.org: For a quick summary: 1) With a firewall enabled, network services don't work without manual intervention. To be perfectly clear, vast majority of network applications work perfectly fine. Network *servers* need manual intervention. 2) With firewalld active, any privileged application can open a port in the firewall (and most will be privileged because they will be packaged that way.) No; most applications are not packaged in any way to get extra privilege to manage a firewall, and they *shouldn't*; applications poking holes in a firewall for themselves is pointless cargo-cult nonsense. Some *user accounts* (members of wheel) are set up to be sufficiently privileged/root-equivalent so that they can open a port, but they really *are* root-equivalent so the specifics of what they can do to the firewall are not much relevant... at that point you really either trust all software you run, or not. There *could* be applications specifically dexigned to open a port in the firewall even for unprivileged users (e.g. by having a separate privileged helper talk to firewalld), I don't think there actually are any. 3) With no firewall enabled and no network services started, there is no security issue because there are no open ports. There still are all the security issues with outgoing communication; in particular, the browser does matter (much more than say portmap) and the firewall cannot protect it. 4) With no firewall but active network services, you have open ports just as you would in the firewalld or manual intervention firewall case No because 2) is false... or yes for the wheel-member users. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Hello, 2014-04-15 11:01 GMT+02:00 Jaroslav Reznik jrez...@redhat.com: = Proposed System Wide Change: Workstation: Disable firewall = https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. This line of argument doesn't make any sense to me. Enabling a firewall is justified by *needing a firewall*, not any kind, or level, of integration into other software. Therefore, we will disable the firewall service while we are working on a more user- friendly way to deal with network-related privacy issues. (combined with...) == Benefit to Fedora == The Workstation will boot faster, and the firewall will not interfere with sharing protocols such as DAAP, UPnP and others. So this actually means we will disable the firewall, *explicitly intending to allow exposing user's data over DAAP and the like*, *now*, and be working on... the privacy issues [not as a part of this Change], i.e. *later*? I do hope I'm misunderstanding the proposal, because this reads like a *highly irresponsible* and *completely unacceptable* transition plan. If the users needs to share data and have control over whether/how it is shared, we just can't take away that control now, and promise to return it sometime later[1]. (I could actually see a good case for not having a restrictive firewall on the Workstation by default, assuming some conditions were met; but if the *explicit intent* is to give up on users' control over their data like that, there's really no point in discussing the detailed requirements because the underlying intent is unacceptable and needs to be revisited.) Mirek [1] Actually, we can't even credibly promise to return it later—if we haven't had time or interest to develop the better controls now, why should the users trust us that we'll develop them later when without the firewall things work correctly for the intended use case and the work on better firewall integration is now even less urgent? -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Hello, 2014-04-15 16:28 GMT+02:00 Christian Schaller cscha...@redhat.com: - Original Message - From: Reindl Harald h.rei...@thelounge.net To: devel@lists.fedoraproject.org Sent: Tuesday, April 15, 2014 11:40:20 AM Subject: Re: F21 System Wide Change: Workstation: Disable firewall Am 15.04.2014 11:32, schrieb drago01: On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald h.rei...@thelounge.net wrote: allow any random application to open a unprivlieged port which is reachable from outside is dangerous We already allow that and have for a long while. Any application bothering to support the firewalld dbus interface can open any port they wish to. We don't, actually. *Only* applications running in a session of a member of the wheel group would have that right, and those applications are pretty much root-equivalent anyway. (Many GNOME users probably use such a setup, but it's not at all the only one possible.) The thread discussing this ended up with mostly being a discussion if the firewall would be a useful way to help users from accidentally oversharing on a public network. Which is important and something we want to work on, but a lot less so than security issues. Oversharing on a public network *absolutely is a security issue*. Heartbleed is exactly that, oversharing and nothing more! Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Thu, Apr 17, 2014 at 11:42:30PM +0200, Miloslav Trmač wrote: Hello, 2014-04-16 14:28 GMT+02:00 Josh Boyer jwbo...@fedoraproject.org: For a quick summary: 1) With a firewall enabled, network services don't work without manual intervention. To be perfectly clear, vast majority of network applications work perfectly fine. Network *servers* need manual intervention. Not just servers. Clients that do broadcast or multicast discovery of other systems acting as servers can also fail with a firewall enabled. The classic case is SMB browsing. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
2014-04-17 23:51 GMT+02:00 Chuck Anderson c...@wpi.edu: To be perfectly clear, vast majority of network applications work perfectly fine. Network *servers* need manual intervention. Not just servers. Clients that do broadcast or multicast discovery of other systems acting as servers can also fail with a firewall enabled. The classic case is SMB browsing. Sorry, you're right. I was thinking of an idealized outgoing-connections-only firewall as opposed to the defaults we actually have. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
+1 Can't UPnP be used also for opening ports in iptables firewall (maybe developing some tools for that)? Il 15/04/2014 15:42, Simone Caronni ha scritto: On 15 April 2014 14:35, Christopher ctubb...@apache.org mailto:ctubb...@apache.org wrote: Whoa, the fact that the Firewall is on by default in Fedora (along with SELinux) is one of the reasons I choose Fedora over alternatives. Same thing here, It was really surprising to see it as a proposed feature. How can it be that after years we are disabling the firewall by default? I personally find it a big, big step backwards. Instead of disabiling it, wouldn't be a better approach to have a more relaxed firewall policy for the workstation product that opens the additional ports for DAAP, UPnp, etc.? Regards, --Simone -- You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson). http://xkcd.com/229/ http://negativo17.org/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 17 Apr 2014, at 2:26, Thomas Woerner twoer...@redhat.com wrote: On 04/16/2014 06:43 PM, Tomasz Torcz wrote: On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. But firewalld currently lacks flexibility to express this fully. Firewalld only classifies ”whole” interfaces, which breaks badly in many situations. Consider following scenario: VM with single network interface. This single interface has RFC1918 IPv4 address AND globally accesible IPv6 address. How it should be described in firewalld? firewalld supports to have rules for IPv4 and/or IPv6. – for any IPv4 incoming connection, this interface is in ”trusted” (”home”? I never know what home/work/dmz/etc really mean) You can full customize all zones. This is the reason there is no simple description for each zone. – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone is still ”trusted” – for any other incoming connection the zone is ”public” (I hope this means ”general Internet”). Above is trivial in iptables, but impossible with firewalld's zones. firewalld also has the ability to bind zones to source addresses and address ranges. This might help here. You should define the trust based on the current subnet? Also links to documentation on this please for source binding -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 18 Apr 2014, at 7:37, Mattia Verga mattia.ve...@tiscali.it wrote: +1 Can't UPnP be used also for opening ports in iptables firewall (maybe developing some tools for that)? Upnp is almost always abused. Please don't use it. Il 15/04/2014 15:42, Simone Caronni ha scritto: On 15 April 2014 14:35, Christopher ctubb...@apache.org wrote: Whoa, the fact that the Firewall is on by default in Fedora (along with SELinux) is one of the reasons I choose Fedora over alternatives. Same thing here, It was really surprising to see it as a proposed feature. How can it be that after years we are disabling the firewall by default? I personally find it a big, big step backwards. Instead of disabiling it, wouldn't be a better approach to have a more relaxed firewall policy for the workstation product that opens the additional ports for DAAP, UPnp, etc.? Regards, --Simone -- You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson). http://xkcd.com/229/ http://negativo17.org/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Apr 15, 2014 1:02 PM, Jaroslav Reznik jrez...@redhat.com wrote: = Proposed System Wide Change: Workstation: Disable firewall = https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall Change owner(s): Matthias Clasen mcla...@redhat.com The firewalld service will not be enabled by default in the workstation product. == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. Additionally, the set of zones that we currently expose is excessive and not user-friendly. Therefore, we will disable the firewall service while we are working on a more user- friendly way to deal with network-related privacy issues. It will of course still be possible to enable the firewall manually. == Scope == * Proposal owners/Other developers: Add a Workstation-specific service configuration (preset ?) to the firewalld package that disables firewalld for the Workstation product * Release engineering: No action required * Policies and guidelines: No action required Probably we should write something like setroubleshoot? It will scan listen ports and with oneclick provide open ignore, etc. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 4/15/14, Michael Catanzaro mcatanz...@gnome.org wrote: On Tue, 2014-04-15 at 20:31 +0200, Alec Leamas wrote: Anyway, I get the feeling that the hunt for the really proper fix is not that fruitful here. OTOH, if you limit the goals to fulfill the basic statement to not let the default configuration of firewalld block the functionality of the default Workstations applications it should certainly be doable without writing a new firewall. Not the most elegant, ultimate solution, but something which solves the problem at hand. Yes, that's definitely the goal here. The Workstation technical spec does not say no firewall, it just says the firewall must not break default applications. That seems like a reasonable place to draw the line between security and usability. With the addendum that this can really only be done in a sane way if the network environment is trusted. Sharing music is not a sensible default on an un-trusted network. The user is the only one who knows if current location is trusted. Seems that most things could be done using zones. But the GUI needs an overhaul to let user have a better way to select zone. I like the idea of a simple Trusted network [Yes/No] type of choice, it should be enough for the Workstation scenarios (?). A thing here: once upon a time I read something about normal user operation requiring root password should be considered a bug. If this is still applicable (IMHO, it should be) there are some challenges in the laptop usecase, where user effectively configures the firewall when connecting to a wifi network marking it as trusted or not. --a -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, Apr 15, 2014 at 08:03:16PM +0200, Andreas Tunek wrote: I just want to say that I really support this feature. I do not see any point in a firewall for a Workstation. BTW, while we are on the subject, does anyone know how to actually disable the firewall in Fedora 20? I haven't managed to figure it out /Andreas -- Just wait for FC 21, it won't have any maybe there won't be any ... further. -- vikram... ^^'^^||root||^^^'''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) ((\\ -- Eat drink and be merry, for tomorrow we diet. -- . - ~|~ = -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
The scenario is scary, too many proposals/changes with negative connotations. Have we been breached... -- vikram... ^^'^^||root||^^^'''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) ((\\ -- Our missions are peaceful -- not for conquest. When we do battle, it is only because we have no choice. -- Kirk, The Squire of Gothos, stardate 2124.5 -- O ~|~ = -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/15/2014 09:14 PM, Michael Cronenworth wrote: Christian Schaller wrote: We already allow that and have for a long while. Any application bothering to support the firewalld dbus interface can open any port they wish to. Good luck getting software to add this. A more sensible option would be to better tie NetworkManager into firewalld. When you make the first connection for any network device the user must be prompted for the firewall zone you wish to tie to the connection. Today, all connections get mapped to the Default zone, but if prompted, and you wanted to make the home zone essentially open then this would solve the OP's Change request. There have been plans about this, but it has been refused ... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/15/2014 10:49 PM, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different zones that the user can configure and associate to networks, with the default being that you trust nothing and everything is firewalled when you roam a new network. We have that already with zones in firewalld. Kindof. If I open the network panel and find the 'Firewall zone' combo, I am presented with a choice of: Default block dmz drop external home internal public trusted work This list is far too long, and none of it is translated or even properly capitalized. And there is no indication at all why one would choose any zone over any other, and what consequences it has. So, what you have currently is a raw bit of infrastructure that is directly exposed to the end user, without any design or integration. There have been plans about a firewall layer in gnome. The gnome team decided not to support it and not to work on anything that is firewall or firewalld related. There have been several meetings about this. Now complaining that it is not there and not integrated just makes me sad, especially as there was a tool in gnome 3, that has support for firewalld, but this support has been removed again. The limitations in gnome 3 are: - Applets are not easily visible in the desktop. - An applet is not always visible, even if the state in the applet is to be visible. - Sending out notifications is prohibiting the use of left and right mouse button menus: While the notification is visible, a left and right mouse button click on the applet only shows the notification. - After closing an notification sent out by the applet, the applet is made invisible in the tray with a still visible state in the applet. Not even a hide and show will make it visible anymore. - Left and right mouse button menus are loose in the desktop and are not visibly connected to the applet, it is not visible any more after clicking on it. GNOME doesn't have applets anymore, so complaining that your applet doesn't work great in GNOME is missing the point. So what would your solution then be for such a workflow today when applets aren't supported anymore? And of course one that would work for other desktops, as maintaining N versions for N different desktops doesn't scale. I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. What I envision is that we will notify the user when we connect to a new network, with a message along the lines of: This has been planned before but has been refused. Coming up with this again is funny also. You have connected to an new network. If this is a public network, you may want to stop sharing your Music and disable Remote Logins. [Turn off sharing] [Continue sharing] [Sharing Preferences...] And we will remember this for when you later reconnect to the same network. This is exactly what zones are for, but you do not have to alter applications or logins. When we have this infrastructure, we can use this information to also set the network zone to Home/Public - I don't think the long list of zones I showed above makes any sense. Either you are at home and comfortable sharing the network, or not. If you're still interested to make this work I'm still willing to work on this together with you and the gnome team to make sure everyone will have the benefit of an out-of-box secure Fedora with an easy to use firewall with a proper UI. I've filed a bug for this: https://bugzilla.gnome.org/show_bug.cgi?id=727580 Matthias Thomas - firewalld maintainer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 01:11 AM, William Brown wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different zones that the user can configure and associate to networks, with the default being that you trust nothing and everything is firewalled when you roam a new network. We have that already with zones in firewalld. Kindof. If I open the network panel and find the 'Firewall zone' combo, I am presented with a choice of: Default block dmz drop external home internal public trusted work This list is far too long, and none of it is translated or even properly capitalized. And there is no indication at all why one would choose any zone over any other, and what consequences it has. Agreed Perhaps shorten to: block public work home The other network zone names really seem targeted at servers. Maybe each zone needs an attr that states if it's a workstation zone or not to determine if it joins this list? So, what you have currently is a raw bit of infrastructure that is directly exposed to the end user, without any design or integration. Additionally, the command line syntax to manage firewalld is obscene. (maybe slightly off topic ...) firewall-cmd --zone=foo --add-port=12345/tcp --permanent It doesn't autocomplete in bash either (zsh at least prefills the -- and gives you some options, but it's not great) There is bash autocompletion support since Fedora 19. But it not able to autocomplete unknown zone names and also not ports. Please try it again. At least for the power user on a workstation, fixing this syntax to at the minimum remove all the -- would be great. Follow that by nm-cli style short hand, and I would be a happy person. You could do: firewalld-cmd z=foo a-p=12345/tcp perm Because this syntax is hard I think that it even excludes power users from wanting to make their firewall work on their system. You are invited to work with us .. I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. What I envision is that we will notify the user when we connect to a new network, with a message along the lines of: You have connected to an new network. If this is a public network, you may want to stop sharing your Music and disable Remote Logins. [Turn off sharing] [Continue sharing] [Sharing Preferences...] And we will remember this for when you later reconnect to the same network. Why not set the firewall zone when you join the network? And the above prompts alter that currently active zone? I've filed a bug for this: https://bugzilla.gnome.org/show_bug.cgi?id=727580 Matthias -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 02:18 AM, Chuck Anderson wrote: On Tue, Apr 15, 2014 at 07:28:35PM -0400, Simo Sorce wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: You have connected to an new network. If this is a public network, you may want to stop sharing your Music and disable Remote Logins. [Turn off sharing] [Continue sharing] [Sharing Preferences...] So if you have 4 different services you gfet flooded with a ton of questions ? Sounds like a bad idea. And we will remember this for when you later reconnect to the same network. If you set a *zone* instead then you have to remember only one association: network - zone, and you know where to go to change that, and to change in which zones an application is allowed to listen, instead of having tens of one offs. When we have this infrastructure, we can use this information to also set the network zone to Home/Public - I don't think the long list of zones I showed above makes any sense. Either you are at home and comfortable sharing the network, or not. A long list does not make sense by default, ideally the default is that you have only 2 zones: trusted/untruuted (you can choose whatever names), if the users wants more flexibility then they would create new zones (like home, work, cafe, library, etc..) perhaps by cloning existing ones and then tweak the list of applications allowed to serve content in those zones. It would be better if the association were per-application rather then nameless ports. Additionally, some zones should be bound to a certain network scope. Today you could say Home or Trusted for your RFC1918-behind-NAT network at home, but tomorrow your ISP could enable IPv6 and all of a sudden your system connected to that subnet is exposed to the whole world... So you really need some concept of scope to attach to the zone so you can only allow connections from within that scope. The hard part is how to define that scope. I believe Windows defaults to local subnet when you choose Home. For this we need a better integration into NetworkManager. Additionally we can not make this work easily with network services. firewalld does not take care about the network configuration. A agree, it would be good to have support for this. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 16 April 2014 00:11, William Brown will...@firstyear.id.au wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. Users can't understand a firewall, let's just turn it off (I realise that's not your position, it's the one that seems to be coming up in this thread.) Anyone else astounded this discussion is actually taking place? -- imalone http://ibmalone.blogspot.co.uk -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone ibmal...@gmail.com wrote: On 16 April 2014 00:11, William Brown will...@firstyear.id.au wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. Users can't understand a firewall, let's just turn it off (I realise that's not your position, it's the one that seems to be coming up in this thread.) Anyone else astounded this discussion is actually taking place? I'm astounded that everyone on all sides is showing a complete inability to think outside their own box in this thread. Beyond that, nothing else surprises me. For a quick summary: 1) With a firewall enabled, network services don't work without manual intervention. 2) With firewalld active, any privileged application can open a port in the firewall (and most will be privileged because they will be packaged that way.) 3) With no firewall enabled and no network services started, there is no security issue because there are no open ports. 4) With no firewall but active network services, you have open ports just as you would in the firewalld or manual intervention firewall case 5) Which ports can safely be opened is completely irrelevant to the presence of a firewall or not. It is entirely dependent upon the trust of the network the machine is connected to. On unsafe networks, you have one of two options: a) turn off those network services, b) use a firewall to block the ports those network services need (which is a strange form of a). If those facts hold true, and I think they do, then I am not surprised at all that there's no consensus here. It isn't as clear cut as everyone seems to want it to be. The zones approach seems fairly reasonable to me. That in and of itself doesn't require a firewall though. Zones could be implemented by simply turning off the network services completely, which would then close the open ports. However, using a firewall to implement zones does allow for protection against unknown/unwanted network services running. A reduced set of zones firewall rules and proper integration in whatever implementation is chosen would seem to be the middle ground here. I like the middle ground. Maybe we could shoot for that? Otherwise, I won't be astounded at all when FESCo rejects the current Change and some users still turn off the firewall as one of the first things they do because things don't work. josh -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/15/2014 09:31 AM, Simo Sorce wrote: On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: I keep thinking that, if I had unlimited time, I'd write a totally different kind of firewall. It would allow some policy (userspace daemon or rules loaded into the kernel) to determine when programs can listen on what sockets and when connections can be accepted on those sockets. This avoids the attack surface of iptables, it will be faster, it can cause programs to actually report errors if you want them to, and it could be a lot easier to configure. Wouldn't it be great if, when you start some program that wants to listen globally, your system could prompt you and ask whether it was okay, even if that program didn't know about firewalld? I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? %99.999 will answer yes, and be aggravated. Setting up a rule that says app XYZ is allowed to open certain ports would be a great step forward. But there would need to be a provable way to guarantee that only the XYZ application is able to open those ports. You could do this with SELinux, but we would need to transition user apps to certain domains, but we would need to run users with a confined domain, and stop disabling SELinux... -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 02:28 PM, Josh Boyer wrote: On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone ibmal...@gmail.com wrote: On 16 April 2014 00:11, William Brown will...@firstyear.id.au wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. Users can't understand a firewall, let's just turn it off (I realise that's not your position, it's the one that seems to be coming up in this thread.) Anyone else astounded this discussion is actually taking place? I'm astounded that everyone on all sides is showing a complete inability to think outside their own box in this thread. Beyond that, nothing else surprises me. For a quick summary: 1) With a firewall enabled, network services don't work without manual intervention. 2) With firewalld active, any privileged application can open a port in the firewall (and most will be privileged because they will be packaged that way.) We are using auth_admin_keep. So the user needs to enter the admin password for all applications that are not running as root to modify the firewall. But an application (and the user) is able to get information about most parts without the admin password. 3) With no firewall enabled and no network services started, there is no security issue because there are no open ports. Mostly all desktop sharing tools are using dynamic ports and some or all of them are started as soon as you are logging in. 4) With no firewall but active network services, you have open ports just as you would in the firewalld or manual intervention firewall case No, see above. You need to authenticate them to be able to modify the firewall. 5) Which ports can safely be opened is completely irrelevant to the presence of a firewall or not. It is entirely dependent upon the trust of the network the machine is connected to. On unsafe networks, you have one of two options: a) turn off those network services, b) use a firewall to block the ports those network services need (which is a strange form of a). If those facts hold true, and I think they do, then I am not surprised at all that there's no consensus here. It isn't as clear cut as everyone seems to want it to be. The zones approach seems fairly reasonable to me. That in and of itself doesn't require a firewall though. Zones could be implemented by simply turning off the network services completely, which would then close the open ports. However, using a firewall to implement zones does allow for protection against unknown/unwanted network services running. A reduced set of zones firewall rules and proper integration in whatever implementation is chosen would seem to be the middle ground here. I like the middle ground. Maybe we could shoot for that? Otherwise, I won't be astounded at all when FESCo rejects the current Change and some users still turn off the firewall as one of the first things they do because things don't work. There has been a plan about this before. It only need to be reworked and implemented. josh Thomas -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 8:59 AM, Thomas Woerner twoer...@redhat.com wrote: On 04/16/2014 02:28 PM, Josh Boyer wrote: On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone ibmal...@gmail.com wrote: On 16 April 2014 00:11, William Brown will...@firstyear.id.au wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. Users can't understand a firewall, let's just turn it off (I realise that's not your position, it's the one that seems to be coming up in this thread.) Anyone else astounded this discussion is actually taking place? I'm astounded that everyone on all sides is showing a complete inability to think outside their own box in this thread. Beyond that, nothing else surprises me. For a quick summary: 1) With a firewall enabled, network services don't work without manual intervention. 2) With firewalld active, any privileged application can open a port in the firewall (and most will be privileged because they will be packaged that way.) We are using auth_admin_keep. So the user needs to enter the admin password for all applications that are not running as root to modify the firewall. But an application (and the user) is able to get information about most parts without the admin password. 3) With no firewall enabled and no network services started, there is no security issue because there are no open ports. Mostly all desktop sharing tools are using dynamic ports and some or all of them are started as soon as you are logging in. That is true. Those would be network services though. If they aren't started, there are no open ports. If they are started, there are. I was being very literal. 4) With no firewall but active network services, you have open ports just as you would in the firewalld or manual intervention firewall case No, see above. You need to authenticate them to be able to modify the firewall. For all intents and purposes, the end state winds up being the same. As Dan Walsh said in another email in this thread, asking users security questions results in them saying yes or authenticating in the vast majority of the cases. 5) Which ports can safely be opened is completely irrelevant to the presence of a firewall or not. It is entirely dependent upon the trust of the network the machine is connected to. On unsafe networks, you have one of two options: a) turn off those network services, b) use a firewall to block the ports those network services need (which is a strange form of a). If those facts hold true, and I think they do, then I am not surprised at all that there's no consensus here. It isn't as clear cut as everyone seems to want it to be. The zones approach seems fairly reasonable to me. That in and of itself doesn't require a firewall though. Zones could be implemented by simply turning off the network services completely, which would then close the open ports. However, using a firewall to implement zones does allow for protection against unknown/unwanted network services running. A reduced set of zones firewall rules and proper integration in whatever implementation is chosen would seem to be the middle ground here. I like the middle ground. Maybe we could shoot for that? Otherwise, I won't be astounded at all when FESCo rejects the current Change and some users still turn off the firewall as one of the first things they do because things don't work. There has been a plan about this before. It only need to be reworked and implemented. Well, sounds like a great first step! josh -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 12:40 PM, Daniel J Walsh wrote: But there would need to be a provable way to guarantee that only the XYZ application is able to open those ports. Same way there needs to be provable way for end users to guarantee they aren't receiving false positive selinux alerts to begin with. JBG -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 16.04.2014 12:31, Thomas Woerner wrote: On 04/15/2014 10:49 PM, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different zones that the user can configure and associate to networks, with the default being that you trust nothing and everything is firewalled when you roam a new network. We have that already with zones in firewalld. Kindof. If I open the network panel and find the 'Firewall zone' combo, I am presented with a choice of: Default block dmz drop external home internal public trusted work This list is far too long, and none of it is translated or even properly capitalized. And there is no indication at all why one would choose any zone over any other, and what consequences it has. So, what you have currently is a raw bit of infrastructure that is directly exposed to the end user, without any design or integration. There have been plans about a firewall layer in gnome. The gnome team decided not to support it and not to work on anything that is firewall or firewalld related. There have been several meetings about this. Now complaining that it is not there and not integrated just makes me sad, especially as there was a tool in gnome 3, that has support for firewalld, but this support has been removed again. The limitations in gnome 3 are: - Applets are not easily visible in the desktop. - An applet is not always visible, even if the state in the applet is to be visible. - Sending out notifications is prohibiting the use of left and right mouse button menus: While the notification is visible, a left and right mouse button click on the applet only shows the notification. - After closing an notification sent out by the applet, the applet is made invisible in the tray with a still visible state in the applet. Not even a hide and show will make it visible anymore. - Left and right mouse button menus are loose in the desktop and are not visibly connected to the applet, it is not visible any more after clicking on it. GNOME doesn't have applets anymore, so complaining that your applet doesn't work great in GNOME is missing the point. So what would your solution then be for such a workflow today when applets aren't supported anymore? And of course one that would work for other desktops, as maintaining N versions for N different desktops doesn't scale. I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. What I envision is that we will notify the user when we connect to a new network, with a message along the lines of: This has been planned before but has been refused. Coming up with this again is funny also. You have connected to an new network. If this is a public network, you may want to stop sharing your Music and disable Remote Logins. [Turn off sharing] [Continue sharing] [Sharing Preferences...] And we will remember this for when you later reconnect to the same network. This is exactly what zones are for, but you do not have to alter applications or logins. When we have this infrastructure, we can use this information to also set the network zone to Home/Public - I don't think the long list of zones I showed above makes any sense. Either you are at home and comfortable sharing the network, or not. If you're still interested to make this work I'm still willing to work on this together with you and the gnome team to make sure everyone will have the benefit of an out-of-box secure Fedora with an easy to use firewall with a proper UI. I've filed a bug for this: https://bugzilla.gnome.org/show_bug.cgi?id=727580 Matthias Thomas - firewalld maintainer Thanks for the revelation, Thomas! Josh, I hope you read this. Is this really how we want to promote Fedora!? poma -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 16.04.2014 14:40, Daniel J Walsh wrote: Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? %99.999 will answer yes, and be aggravated. And from where did you get these percentages? :) poma -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: On 04/15/2014 09:31 AM, Simo Sorce wrote: On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: I keep thinking that, if I had unlimited time, I'd write a totally different kind of firewall. It would allow some policy (userspace daemon or rules loaded into the kernel) to determine when programs can listen on what sockets and when connections can be accepted on those sockets. This avoids the attack surface of iptables, it will be faster, it can cause programs to actually report errors if you want them to, and it could be a lot easier to configure. Wouldn't it be great if, when you start some program that wants to listen globally, your system could prompt you and ask whether it was okay, even if that program didn't know about firewalld? I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. We can hint that a cafe wifi is usually not trusted and users should say no, or perhaps we do not even ask and default to untrusted on open wifi networks, and only ask on secured networks (this would be my preference). %99.999 will answer yes, and be aggravated. Setting up a rule that says app XYZ is allowed to open certain ports would be a great step forward. But there would need to be a provable way to guarantee that only the XYZ application is able to open those ports. You could do this with SELinux, but we would need to transition user apps to certain domains, but we would need to run users with a confined domain, and stop disabling SELinux... I think we can do this in steps, I certainly agree with the long term goal. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, 2014-04-16 at 08:28 -0400, Josh Boyer wrote: On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone ibmal...@gmail.com wrote: On 16 April 2014 00:11, William Brown will...@firstyear.id.au wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or should understand and make decisions of. Never take decisions away from users. The OSX style firewall works well when enabled. It blocks all by default, then when an application wants a listening port, the user is prompted to allow or deny it. I think this is a good model. Users can't understand a firewall, let's just turn it off (I realise that's not your position, it's the one that seems to be coming up in this thread.) Anyone else astounded this discussion is actually taking place? I'm astounded that everyone on all sides is showing a complete inability to think outside their own box in this thread. Beyond that, nothing else surprises me. For a quick summary: 1) With a firewall enabled, network services don't work without manual intervention. 2) With firewalld active, any privileged application can open a port in the firewall (and most will be privileged because they will be packaged that way.) 3) With no firewall enabled and no network services started, there is no security issue because there are no open ports. 4) With no firewall but active network services, you have open ports just as you would in the firewalld or manual intervention firewall case 5) Which ports can safely be opened is completely irrelevant to the presence of a firewall or not. It is entirely dependent upon the trust of the network the machine is connected to. On unsafe networks, you have one of two options: a) turn off those network services, b) use a firewall to block the ports those network services need (which is a strange form of a). Sorry, but here you are misunderstanding the nuances of a trusted network. When I say trusted network I mean *local network* and local means the firewall uses the subnet mask (as a gross approximation) to limit who can connect. also if you have a VPN or virtual machines running on your laptop those may count as trusted networks, but they coexist with untrusted ones (the open wifi you are connected to). So, no b) is absolutely not a strange form of a), because turning off services is an all or nothing thing, and some users may be fine with that, but most want the service to be available locally (DLNA) or to his own Virtual Machines (SMB/NFS shares) but not broadly, so an on/off switch is simply insufficient. If those facts hold true, and I think they do, then I am not surprised at all that there's no consensus here. It isn't as clear cut as everyone seems to want it to be. I think they don't sorry, the discussion is more nuanced, which is why people is appalled by the proposal. The zones approach seems fairly reasonable to me. That in and of itself doesn't require a firewall though. It absolutely does, see above. the definition of zone often includes the concept of local network. Zones could be implemented by simply turning off the network services completely, which would then close the open ports. However, using a firewall to implement zones does allow for protection against unknown/unwanted network services running. It also allows to partition who can see what, we are constantly connected to multiple networks nowadays (think developers and virtual machines). A reduced set of zones firewall rules and proper integration in whatever implementation is chosen would seem to be the middle ground here. I like the middle ground. Maybe we could shoot for that? I certainly hope we can shoot for a simplified middle ground to start with. Otherwise, I won't be astounded at all when FESCo rejects the current Change and some users still turn off the firewall as one of the first things they do because things don't work. Right, if nothing is done the only sensible solution is for FESCo to refuse the change, and then the only recourse a lot of user will have is to turn it off first thing :-( Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. But firewalld currently lacks flexibility to express this fully. Firewalld only classifies ”whole” interfaces, which breaks badly in many situations. Consider following scenario: VM with single network interface. This single interface has RFC1918 IPv4 address AND globally accesible IPv6 address. How it should be described in firewalld? – for any IPv4 incoming connection, this interface is in ”trusted” (”home”? I never know what home/work/dmz/etc really mean) – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone is still ”trusted” – for any other incoming connection the zone is ”public” (I hope this means ”general Internet”). Above is trivial in iptables, but impossible with firewalld's zones. -- Tomasz Torcz Morality must always be based on practicality. xmpp: zdzich...@chrome.pl-- Baron Vladimir Harkonnen pgpW2mQoBwO3k.pgp Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, 2014-04-16 at 18:43 +0200, Tomasz Torcz wrote: On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. But firewalld currently lacks flexibility to express this fully. Firewalld only classifies ”whole” interfaces, which breaks badly in many situations. Consider following scenario: VM with single network interface. This single interface has RFC1918 IPv4 address AND globally accesible IPv6 address. How it should be described in firewalld? – for any IPv4 incoming connection, this interface is in ”trusted” (”home”? I never know what home/work/dmz/etc really mean) – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone is still ”trusted” – for any other incoming connection the zone is ”public” (I hope this means ”general Internet”). Above is trivial in iptables, but impossible with firewalld's zones. Clearly firewalld zones need to be improved. The underlying iptables (and nftables in the future) clearly are capable. The fact firewalld is currently limited doesn't mean we need to write off the approach. There is still value in being able to say virt0 is trusted and wlan0 is not. Simo. -- Simo Sorce * Red Hat, Inc * New York -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 12:43 PM, Tomasz Torcz to...@pipebreaker.pl wrote: On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. But firewalld currently lacks flexibility to express this fully. currently is the key word. Firewalld only classifies whole interfaces, which breaks badly in many situations. Consider following scenario: VM with single network interface. This single interface has RFC1918 IPv4 address AND globally accesible IPv6 address. How it should be described in firewalld? - for any IPv4 incoming connection, this interface is in trusted (home? I never know what home/work/dmz/etc really mean) Sure. - for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone is still trusted Sure? - for any other incoming connection the zone is public (I hope this means general Internet). Sure. Above is trivial in iptables, but impossible with firewalld's zones. So fix it? josh -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 04/16/2014 06:43 PM, Tomasz Torcz wrote: On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the user if he wants to allow it. However this would still not be completely sufficient as you completely lack any context about what network you are operating on. The firewall's purpose is to block access to local services on bad networks too, it is not a binary open/close equation when you have machines (laptops) that roam across a variety of networks. Simo. Nothing worse then asking Users Security related questions about opening firewall ports. Users will just answer yes, whether or not they are being hacked. firefox wants to listen on port 9900 in order to see this page, OK? Which is not what I proposed Dan. I in fact said we should *NOT* ask per application. What we should ask is one single question, upon connecting to an unknown network: Is this network trusted ? If yes you open up to the local network. If no you keep ports not accessible on that network. But firewalld currently lacks flexibility to express this fully. Firewalld only classifies ”whole” interfaces, which breaks badly in many situations. Consider following scenario: VM with single network interface. This single interface has RFC1918 IPv4 address AND globally accesible IPv6 address. How it should be described in firewalld? firewalld supports to have rules for IPv4 and/or IPv6. – for any IPv4 incoming connection, this interface is in ”trusted” (”home”? I never know what home/work/dmz/etc really mean) You can full customize all zones. This is the reason there is no simple description for each zone. – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone is still ”trusted” – for any other incoming connection the zone is ”public” (I hope this means ”general Internet”). Above is trivial in iptables, but impossible with firewalld's zones. firewalld also has the ability to bind zones to source addresses and address ranges. This might help here. Thomas -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 06:56:21PM +0200, Thomas Woerner wrote: – for any IPv4 incoming connection, this interface is in ”trusted” (”home”? I never know what home/work/dmz/etc really mean) You can full customize all zones. This is the reason there is no simple description for each zone. – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone is still ”trusted” – for any other incoming connection the zone is ”public” (I hope this means ”general Internet”). Above is trivial in iptables, but impossible with firewalld's zones. firewalld also has the ability to bind zones to source addresses and address ranges. This might help here. That's sounds promising and revisits my perception of firewalld. Thank you! -- Tomasz Torcz Morality must always be based on practicality. xmpp: zdzich...@chrome.pl-- Baron Vladimir Harkonnen -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, Apr 15, 2014 at 08:14:01PM -0400, Christopher wrote: Perhaps shorten to: block public work home That is a much more intuitive default set. Is it? What's supposed to be the difference between work and home? Lars -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Thu, Apr 17, 2014 at 12:55:31AM +0200, Lars Seipel wrote: Perhaps shorten to: block public work home That is a much more intuitive default set. Is it? What's supposed to be the difference between work and home? I don't know if it's intuitive or not, but I can imagine that I might want to share music to my home network by default but wouldn't want that to happen at work. -- Matthew Miller-- Fedora Project--mat...@fedoraproject.org Tepid change for the somewhat better! -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 3:58 PM, Matthew Miller mat...@fedoraproject.org wrote: On Thu, Apr 17, 2014 at 12:55:31AM +0200, Lars Seipel wrote: Perhaps shorten to: block public work home That is a much more intuitive default set. Is it? What's supposed to be the difference between work and home? I don't know if it's intuitive or not, but I can imagine that I might want to share music to my home network by default but wouldn't want that to happen at work. For that matter, what's the difference between public and block? This has always bugged me about Windows 7's firewall. I never know what to click, because I have no idea what the options do. --Andy -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Wed, Apr 16, 2014 at 6:55 PM, Lars Seipel lars.sei...@gmail.com wrote: On Tue, Apr 15, 2014 at 08:14:01PM -0400, Christopher wrote: Perhaps shorten to: block public work home That is a much more intuitive default set. Is it? What's supposed to be the difference between work and home? Whatever they are now, perhaps? What I mean by more intuitive set, is that I understand how to map these to my daily life activities, and the various networks I connect to, much more so than I would the overabundance of zones that exist today. I do not mean that I understand which services will be exposed by default for a particular zone (but I don't know that today, with the multitude of options, either...). I hope that's clear what I meant. Lars -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
F21 System Wide Change: Workstation: Disable firewall
= Proposed System Wide Change: Workstation: Disable firewall = https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall Change owner(s): Matthias Clasen mcla...@redhat.com The firewalld service will not be enabled by default in the workstation product. == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. Additionally, the set of zones that we currently expose is excessive and not user-friendly. Therefore, we will disable the firewall service while we are working on a more user- friendly way to deal with network-related privacy issues. It will of course still be possible to enable the firewall manually. == Scope == * Proposal owners/Other developers: Add a Workstation-specific service configuration (preset ?) to the firewalld package that disables firewalld for the Workstation product * Release engineering: No action required * Policies and guidelines: No action required ___ devel-announce mailing list devel-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel-announce -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 15.04.2014 11:01, schrieb Jaroslav Reznik: = Proposed System Wide Change: Workstation: Disable firewall = https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall Change owner(s): Matthias Clasen mcla...@redhat.com The firewalld service will not be enabled by default in the workstation product. == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. Additionally, the set of zones that we currently expose is excessive and not user-friendly. Therefore, we will disable the firewall service while we are working on a more user- friendly way to deal with network-related privacy issues. It will of course still be possible to enable the firewall manually. == Scope == * Proposal owners/Other developers: Add a Workstation-specific service configuration (preset ?) to the firewalld package that disables firewalld for the Workstation product * Release engineering: No action required * Policies and guidelines: No action required User Experience Applications that are using sharing protocols such as DAAP or UPnP will work out of the box, without the need to tweak or disable the firewall service seriously going the Apple way and back to where WiNXP before SP3 was? users running applications which opening a high port in the background like license checks and so on (as example ZendStudio) will be really thankful that as default these ports are open on the WAN honestly whoever proposes such a change has to understand that these days it is not uncommon to have diretly to the WAN exposed machines with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN) independent of whatever product a new installed system has not to open any port by default - anybody proposing the opposite is careless and ignorant if it comes to security do we really want to go the way of dangerous defaults without at least two buttons secure defaults and i don't care due the installation? signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 15.04.2014 11:01, schrieb Jaroslav Reznik: = Proposed System Wide Change: Workstation: Disable firewall = https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall Change owner(s): Matthias Clasen mcla...@redhat.com The firewalld service will not be enabled by default in the workstation product. == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. Additionally, the set of zones that we currently expose is excessive and not user-friendly. Therefore, we will disable the firewall service while we are working on a more user- friendly way to deal with network-related privacy issues. It will of course still be possible to enable the firewall manually. == Scope == * Proposal owners/Other developers: Add a Workstation-specific service configuration (preset ?) to the firewalld package that disables firewalld for the Workstation product * Release engineering: No action required * Policies and guidelines: No action required User Experience Applications that are using sharing protocols such as DAAP or UPnP will work out of the box, without the need to tweak or disable the firewall service seriously going the Apple way and back to where WiNXP before SP3 was? strawman. users running applications which opening a high port in the background like license checks and so on (as example ZendStudio) will be really thankful that as default these ports are open on the WAN Why does it listen on a port for license checks? It should just contact the server and not the other way. Besides no one is stopping you from enabling the firewall. honestly whoever proposes such a change has to understand that these days it is not uncommon to have diretly to the WAN exposed machines with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN) independent of whatever product a new installed system has not to open any port by default I agree to that but the point is open by default. But if the user chooses to open it it share a file or whatever it should just work. - anybody proposing the opposite is careless and ignorant if it comes to security do we really want to go the way of dangerous defaults without ... dangerous ? So install the workstation package set. Boot it up. Disable the firewall. Which kind of vulnerabilities are able to find? Which ports are accessible? What can you do with them? at least two buttons secure defaults and i don't care due the installation? No that's dumb. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
On 4/15/14, Reindl Harald h.rei...@thelounge.net wrote: Am 15.04.2014 11:01, schrieb Jaroslav Reznik: = Proposed System Wide Change: Workstation: Disable firewall = https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall Change owner(s): Matthias Clasen mcla...@redhat.com The firewalld service will not be enabled by default in the workstation product. == Detailed Description == The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. [cut] Isn't the integration something which should be fixed rather than walked-around? It will of course still be possible to enable the firewall manually. Nope. There will be scenarios where a user will have exposed the new new machine before the firewall is enabled. seriously going the Apple way and back to where WiNXP before SP3 was? Actually, it will be worse. Users are expecting the firewall to be present, and breaking that assumption will create all sorts of problems. IN the old days, at least experienced users knew about the missing firewall and related problems. [cut] honestly whoever proposes such a change has to understand that these days it is not uncommon to have diretly to the WAN exposed machines with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN) +1 If you really, really want to walk this path it might be better with some kind of post-install configuration step optionally disabling the firewall (with user dialog). This would at least make things visible, and not leave the system open from the beginning. But the proper solution is certainly to fix the application/firewall integration. --alec -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 15.04.2014 11:32, schrieb drago01: On Tue, Apr 15, 2014 at 11:18 AM, Reindl Harald h.rei...@thelounge.net wrote: User Experience Applications that are using sharing protocols such as DAAP or UPnP will work out of the box, without the need to tweak or disable the firewall service seriously going the Apple way and back to where WiNXP before SP3 was? strawman no it's a fact, before SP3 WinXP had no firewall and MS learned users running applications which opening a high port in the background like license checks and so on (as example ZendStudio) will be really thankful that as default these ports are open on the WAN Why does it listen on a port for license checks? It should just contact the server and not the other way. it's hardly your business nor mine, fact is that you as os-vendor can not know what application is opening whatever ports and thats why you have to ship secure defaults Besides no one is stopping you from enabling the firewall did you really not learn anything from the past 10 years like new Windows setups where infected before you even had the chance to install the security updates or enable a firewall? it is not a point of *what i can do and do* it is a point what the ordinary 08/15 user does which assumes to have a by default secure system after install honestly whoever proposes such a change has to understand that these days it is not uncommon to have diretly to the WAN exposed machines with no safety NAT/router between (UMTS/3G sticks, untrusted WLAN) independent of whatever product a new installed system has not to open any port by default I agree to that but the point is open by default. But if the user chooses to open it it share a file or whatever it should just work. - anybody proposing the opposite is careless and ignorant if it comes to security do we really want to go the way of dangerous defaults without ... dangerous ? allow any random application to open a unprivlieged port which is reachable from outside is dangerous So install the workstation package set. Boot it up. Disable the firewall. Which kind of vulnerabilities are able to find? Which ports are accessible? What can you do with them? *we talk about a operating system* there is installed software later i do not know and you do not know what is running on the users machine at least two buttons secure defaults and i don't care due the installation? No that's dumb dumb is we can't handle security currently in a default install and so we disable it completly with other words like we will disable the firewall service while we are working on a more user-friendly way to deal with network-related privacy issues signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: F21 System Wide Change: Workstation: Disable firewall
Am 15.04.2014 11:32, schrieb drago01: do we really want to go the way of dangerous defaults without ... dangerous ? So install the workstation package set. Boot it up. Disable the firewall. Which kind of vulnerabilities are able to find? Which ports are accessible? Avahi at least What can you do with them? that will the time tell you after there where security flaws nobody expected before when it is too late - it is somehow pervert to argue that way and make proposals to weaken the default security exactly one week after Heartbleed what can you do with them if it comes to security is the wrong question - what can you not do with them and how do you prove that would be the right question not a single security flaw in the past yeas was expected and now instead learn of them we disable security layers? short ago it was proposed drop tcpwrapper from the distribution because there is a firewall and we should rely on a sinle layer of defense followed directly by oh and now let us disable that security layer in a default install to make it clear: myself is not affected by such things but it scares me because i have to fight as server-admin with the impact of dumb security decisions and the resulting botnets and yes you have to be very careful with but we are not vulerable like this and that because that's the first step to fall hard signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct