On Tue, Sep 24, 2013 at 8:11 PM, Kurt Seifried <kseifried@xxxxxxxxxx> wrote: > 1) it would be nice to have capabilities like "do you want to let > program X talk to the internet/receive connections" for client > software with a GUI notification (like basically all the windows > client/Mac OS X client firewall stuff). I would say this is probably > the biggest capability needed for normal end users. This really doesn't work. On the UI level: * It's impossible to ask about outgoing connections: "Do you want /usr/bin/yncp program to connect to 23.56.68.226 port 31337"? At best, the user will be afraid and click "no"; or perhaps they will guess that yncp stands for "your new chat program" that has been recently installed, and understand that it is wanting to connect - and of course they want the chat program to connect. Nobody will ever realize that that IP address is what www.nsa.gov resolves to, and that the port is the default for Black Orifice. * It's impossible to ask about opening listening sockets: "Do you want /usr/bin/yncp to accept connection requests over the Internet?" - "Of course I want my chat program to accept conversations!" * There isn't any practical difference between the two any more anyway, due to the prevalence of NAT firewalls. On the security architecture level, we don't have a concept of "program X" that is good enough for making security decisions (e.g. due to ptrace, shared access to the configuration in home directory, lack of X11 access control). This is a known problem, and is being slowly worked on, and will hopefully eventually be solved; however the UI problems are pretty much unsolvable. > Overall I'm not really sure firewalld solves much, anyone running a > server will probably be able to tweak iptables to allow incoming > services they want. Anyone running a server will probably be able to learn iptables if they have to. Still, > -A INPUT -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT is a pretty sad thing to have to type in 2013 - we have all these computer things that are supposedly good at automating boring work, so why shouldn't this be automated/abstracted away by the computer? > So do we aim it at the end user/workstation style > usage primarily (especially ones that move around networks)? No, firewalld is primarily aimed at "network end-points", managed by an administrator who understands IP networks but not necessarily knowing iptables by heart. Mirek -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security