On 07/24/2009 11:34 AM, Colin Walters wrote: > Backing up a minute, in discussions among the desktop team and other > people about this, one thing that came up as a specific problem with > having no firewall at all was the "public WiFi hotspot" case. If for > example I enable desktop sharing before leaving work, then head to the > airport, and log on there to WiFi, you really don't want the desktop > sharing still enabled. Nor likely do you want sshd. > > In most of the other cases I can think of though, the firewall is > either a hindrance (trusted network at home or office), or pointless > (connected via 3G modem). > > Which leads me to think that rather than being based on individual > ports and time, we just need a nice way to globally toggle the > firewall. And that could come down to marking networks as explicitly > trusted in NetworkManager, say. Bah! If the user checks a box saying the network can be trusted then we should use that as evidence against him. :) Firewalls are "crunchy on the outside but chewy on the inside". How many of our users have a not-fully-patched Windows box on their "trusted" home network? (Or even an active malware infestation.) And what if you and a friend are at the airport and you want to share a file? Do you have to mark the airport wifi network trusted? It seems like it would be better to use selinux here than a firewall. -- Dan -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
