On Sun, 14.06.09 18:34, Matthew Garrett (mjg@xxxxxxxxxx) wrote: > > So, solving this is pretty easy, even for newbies. But I agree that the > > error message will not help someone without advanced knowledge. Although > > I think people running Samba generally will know where to look for the > > problem. > > I think this is actually a problem that needs solving. We have several > network services that are either installed by default or might be > expected to be part of a standard setup, but which don't work because of > the default firewall rules. The Anaconda people have (sensibly, IMHO) > refused to simply add further exceptions to the firewall policy. > > So, what should happen here? Should we leave the firewall enabled in > these cases* by default and require admins to open them? If so, is there > any way that we can make this easier in some Packagekit-oriented manner? > If not, how should we define that packages indicate that they need ports > opened? Should this be handled at install time or run time? Gah. Allowing packages to pierce the firewall just makes the firewall redundant. I still think that the current firewall situation on Fedora is pretty much broken. It's a bit like SELinux: it's one of the first features most people disable. Fedora is the only big distro that enables a firewall by default and thus creates a lot of trouble for many users. I think I mentioned that before, and I can only repeat it here: we should not ship a firewall enabled by default, like we currently do. If an application cannot be trusted then it should not be allowed to listen on a port by default in the first place. A firewall is an extra layer of security that simply hides the actual problem. Now, it's my impression that some people who control the packages in question and believe in all this security theater more than I do, seem to be unwilling to loosen the default firewall. So as a bit of a compromise here's what I suggest: Add a very simple per-interface firewall profile system to NetworkManager. Something that is easily reachable from the NM applet. Something with just two simple profiles by default: one that allows everything for use in trusted networks, and one that just allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport APs). Admins could then add more profiles if they feel the need for it. And one could bind those profiles to specific networks, so that people would just have to configure them once. Of course, as mentioned, these firewall profiles need to be per-interface so that a vpn interface can be trusted, while the underlying WLAN iface doesn't have to be trusted. Lennart -- Lennart Poettering Red Hat, Inc. lennart [at] poettering [dot] net http://0pointer.net/lennart/ GnuPG 0x1A015CC4 -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
