On Tue, 2010-05-04 at 23:23 +0200, Lennart Poettering wrote: > On Tue, 04.05.10 17:04, William Jon McCann (william.jon.mccann@xxxxxxxxx) wrote: > > > Hey, > > > > So I know we've had long threads about this on fedora-devel but it > > isn't clear to me anything came out of them. Maybe we can be more > > specific. > > > > Does our current firewall policy for the desktop install make sense? > > > > Does a firewall add any value at all? > > > > Should we have a bidirectional firewall? > > > > Other thoughts? I'd be interested to know if we at least have rough > > agreement between people who have written or maintain network > > listening services like David, Lennart, Colin, and Owen. > > There was a private discussion about that by email by a few folks, > initiated by Bastien IIRC, a few weeks ago. It died after a while. > > However, I think some of the folks involved agree with me that for the > long run we should have a firewall that focuses on "profiles" instead of > activating seperate services individually, which has been suggested > quite often and is particularly pushed by some baseos people. > > In more detail: > > I want a minimal system where I can activate one of the predefined > firewall profiles "Internet Cafe", "Corporate Network" and "Trusted/Home > Network" (or similarly named), plus any others defined by the admin, and > which can be attached to the various interfaces and are activated for > them when they go up, and only for them for each iface. > > Bastien suggested the various apps should be able to show hints like > "You need to enable service 'mDNS/DNS-SD' to use this service, please > click here to enable it" in the UI for the various programs, when they > are blocked by the fw. I am more arguing for a UI that would show "Your > current firewall 'Internet Cafe' does not allow service 'mDNS/DNS-SD' to > work. Please change to profile 'Corporate Network' or 'Trusted Network' > if you want to use this service and you are in a suitable network." > Rationale behind this: systems are mobile, hence if you enable "mDNS" in > one network it should not mean it is from then enabled in every network > you move your machien to. And secondly, I doubt we could reasonably > explain the differences between the various browsing services to people > (i.e. SMB, mDNS, uPNP), and hence I'd argue that when you enable one of > those service it should be ok to enable the other ones mentioned here as > well. On a network where uPnP is OK to be used, mDNS is too. Something > similar applies to other protocols. > > It would be a great step ahead if the discussions we have every now and > then on fedora-devel whether some specific software should be enabled in > the fw would become more specific: instead of asking whether avahi > should be whitelisted in the default fw, I'd like to move those > discussions in the direction that people ask whether avahi should be > enabled in the "Corporate Network" profile or not. > > I think Windows has a similar profiles system now, too. > > Lennart > > -- > Lennart Poettering Red Hat, Inc. > lennart [at] poettering [dot] net > http://0pointer.net/lennart/ GnuPG 0x1A015CC4 I like where this is going. I think it's easier to ask the user what type of network environment they are in rather than if they want to allow foobarfroz service to run. The latter is a major laughing point of windows users, even mocked in Apple commercials. We do not want to repeat their mistakes. However the basic idea of prompting the user to confirm something does have merit, and it seems to me it would be easier to answer "I trust those around me" vs "I do not trust those around me" than to make informed decisions about each and every service that may be ran. Hopefully it goes without saying that it would take a certain role within PK rights to be able to manipulate which firewall profile to load... -- Jesse Keating Fedora -- Freedom² is a feature! identi.ca: http://identi.ca/jkeating
Attachment:
signature.asc
Description: This is a digitally signed message part
-- desktop mailing list desktop@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/desktop
