On Tue, Apr 15, 2014 at 7:11 PM, William Brown <william@xxxxxxxxxxxxxxx> wrote: > On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: >> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: >> >> > > >> > > What you need is clearly different "zones" that the user can configure >> > > and associate to networks, with the default being that you trust nothing >> > > and everything is firewalled when you roam a new network. >> > > >> > We have that already with zones in firewalld. >> >> Kindof. If I open the network panel and find the 'Firewall zone' combo, >> I am presented with a choice of: >> Default >> block >> dmz >> drop >> external >> home >> internal >> public >> trusted >> work >> >> This list is far too long, and none of it is translated or even properly >> capitalized. And there is no indication at all why one would choose any >> zone over any other, and what consequences it has. > > Agreed > > Perhaps shorten to: > > block > public > work > home That is a much more intuitive default set. > > The other network zone names really seem targeted at servers. Maybe each > zone needs an attr that states if it's a workstation zone or not to > determine if it joins this list? > >> >> So, what you have currently is a raw bit of infrastructure that is >> directly exposed to the end user, without any design or integration. >> > > > > Additionally, the command line syntax to manage firewalld is obscene. > (maybe slightly off topic ...) > > firewall-cmd --zone=foo --add-port=12345/tcp --permanent > > It doesn't autocomplete in bash either (zsh at least prefills the -- and > gives you some options, but it's not great) > > At least for the "power" user on a workstation, fixing this syntax to at > the minimum remove all the -- would be great. Follow that by nm-cli > style short hand, and I would be a happy person. You could do: > > firewalld-cmd z=foo a-p=12345/tcp perm > > > > Because this syntax is "hard" I think that it even excludes power users > from wanting to make their firewall work on their system. > >> >> >> I don't think we want a 'firewall' UI anyway; the firewall is not >> something most users can or should understand and make decisions of. > > Never take decisions away from users. > > The OSX style firewall works well when enabled. It blocks all by > default, then when an application wants a listening port, the user is > prompted to allow or deny it. I think this is a good model. > >> >> What I envision is that we will notify the user when we connect to a new >> network, with a message along the lines of: >> >> You have connected to an new network. If this is a public network, you >> may want to stop sharing your Music and disable Remote Logins. >> [Turn off sharing] [Continue sharing] [Sharing Preferences...] >> >> And we will remember this for when you later reconnect to the same >> network. > > Why not set the firewall zone when you join the network? And the above > prompts alter that currently active zone? > > >> I've filed a bug for this: >> https://bugzilla.gnome.org/show_bug.cgi?id=727580 >> >> >> Matthias >> > > > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
