Lennart Poettering wrote:
On Sun, 14.06.09 18:34, Matthew Garrett (mjg@xxxxxxxxxx) wrote:
So, solving this is pretty easy, even for newbies. But I agree that the
error message will not help someone without advanced knowledge. Although
I think people running Samba generally will know where to look for the
problem.
I think this is actually a problem that needs solving. We have several
network services that are either installed by default or might be
expected to be part of a standard setup, but which don't work because of
the default firewall rules. The Anaconda people have (sensibly, IMHO)
refused to simply add further exceptions to the firewall policy.
So, what should happen here? Should we leave the firewall enabled in
these cases* by default and require admins to open them? If so, is there
any way that we can make this easier in some Packagekit-oriented manner?
If not, how should we define that packages indicate that they need ports
opened? Should this be handled at install time or run time?
Gah. Allowing packages to pierce the firewall just makes the firewall
redundant.
I still think that the current firewall situation on Fedora is pretty
much broken. It's a bit like SELinux: it's one of the first features
most people disable.
SELinux and the firewall configuration are trying to make the system
secure before something happens. If your system is compromised, then it
is far too late to react. If you do not care about security, then
disable it and have fun with the results.
I wonder why other systems are getting more restrictive and secure over
time and for Linux people request the opposite direction.
Fedora is the only big distro that enables a firewall by default and
thus creates a lot of trouble for many users. I think I mentioned that
before, and I can only repeat it here: we should not ship a firewall
enabled by default, like we currently do. If an application cannot be
trusted then it should not be allowed to listen on a port by default
in the first place. A firewall is an extra layer of security that
simply hides the actual problem.
How do you want to get to "it should not be allowed to listen on a port
by default"? Maybe with SELinux?
Please remember that there are still services like for example RPC that
are using random ports which might be one of those that are open.
Now, it's my impression that some people who control the packages in
question and believe in all this security theater more than I do, seem
to be unwilling to loosen the default firewall. So as a bit of a
compromise here's what I suggest:
I do not think that security is a theater. If the system you are using
lacks security and someone could copy and/or remove your private or work
data, then you might have big problems.
Add a very simple per-interface firewall profile system to
NetworkManager. Something that is easily reachable from the NM
applet. Something with just two simple profiles by default: one that
allows everything for use in trusted networks, and one that just
allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
APs). Admins could then add more profiles if they feel the need for
it. And one could bind those profiles to specific networks, so that
people would just have to configure them once. Of course, as
mentioned, these firewall profiles need to be per-interface so that a
vpn interface can be trusted, while the underlying WLAN iface doesn't
have to be trusted.
If there would be a mechanism to define the type of an internet
connection or a network segment, then it would surely be possible to
make this work even with system-config-firewall. But at the moment there
is no such mechanism.
Here is the latest request to add a mechanism like this:
https://bugzilla.redhat.com/show_bug.cgi?id=472784
Lennart
Thomas
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list