On Tue, 04.05.10 17:04, William Jon McCann (william.jon.mccann@xxxxxxxxx) wrote: > Hey, > > So I know we've had long threads about this on fedora-devel but it > isn't clear to me anything came out of them. Maybe we can be more > specific. > > Does our current firewall policy for the desktop install make sense? > > Does a firewall add any value at all? > > Should we have a bidirectional firewall? > > Other thoughts? I'd be interested to know if we at least have rough > agreement between people who have written or maintain network > listening services like David, Lennart, Colin, and Owen. There was a private discussion about that by email by a few folks, initiated by Bastien IIRC, a few weeks ago. It died after a while. However, I think some of the folks involved agree with me that for the long run we should have a firewall that focuses on "profiles" instead of activating seperate services individually, which has been suggested quite often and is particularly pushed by some baseos people. In more detail: I want a minimal system where I can activate one of the predefined firewall profiles "Internet Cafe", "Corporate Network" and "Trusted/Home Network" (or similarly named), plus any others defined by the admin, and which can be attached to the various interfaces and are activated for them when they go up, and only for them for each iface. Bastien suggested the various apps should be able to show hints like "You need to enable service 'mDNS/DNS-SD' to use this service, please click here to enable it" in the UI for the various programs, when they are blocked by the fw. I am more arguing for a UI that would show "Your current firewall 'Internet Cafe' does not allow service 'mDNS/DNS-SD' to work. Please change to profile 'Corporate Network' or 'Trusted Network' if you want to use this service and you are in a suitable network." Rationale behind this: systems are mobile, hence if you enable "mDNS" in one network it should not mean it is from then enabled in every network you move your machien to. And secondly, I doubt we could reasonably explain the differences between the various browsing services to people (i.e. SMB, mDNS, uPNP), and hence I'd argue that when you enable one of those service it should be ok to enable the other ones mentioned here as well. On a network where uPnP is OK to be used, mDNS is too. Something similar applies to other protocols. It would be a great step ahead if the discussions we have every now and then on fedora-devel whether some specific software should be enabled in the fw would become more specific: instead of asking whether avahi should be whitelisted in the default fw, I'd like to move those discussions in the direction that people ask whether avahi should be enabled in the "Corporate Network" profile or not. I think Windows has a similar profiles system now, too. Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
