On 16.04.2014 12:31, Thomas Woerner wrote: > On 04/15/2014 10:49 PM, Matthias Clasen wrote: >> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: >> >>>> >>>> What you need is clearly different "zones" that the user can configure >>>> and associate to networks, with the default being that you trust nothing >>>> and everything is firewalled when you roam a new network. >>>> >>> We have that already with zones in firewalld. >> >> Kindof. If I open the network panel and find the 'Firewall zone' combo, >> I am presented with a choice of: >> Default >> block >> dmz >> drop >> external >> home >> internal >> public >> trusted >> work >> >> This list is far too long, and none of it is translated or even properly >> capitalized. And there is no indication at all why one would choose any >> zone over any other, and what consequences it has. >> >> So, what you have currently is a raw bit of infrastructure that is >> directly exposed to the end user, without any design or integration. >> > There have been plans about a firewall layer in gnome. The gnome team > decided not to support it and not to work on anything that is firewall > or firewalld related. There have been several meetings about this. > > Now complaining that it is not there and not integrated just makes me > sad, especially as there was a tool in gnome 3, that has support for > firewalld, but this support has been removed again. > >>> >>> The limitations in gnome 3 are: >>> - Applets are not easily visible in the desktop. >>> - An applet is not always visible, even if the state in the applet is to >>> be visible. >>> - Sending out notifications is prohibiting the use of left and right >>> mouse button menus: While the notification is visible, a left and right >>> mouse button click on the applet only shows the notification. >>> - After closing an notification sent out by the applet, the applet is >>> made invisible in the tray with a still visible state in the applet. Not >>> even a hide and show will make it visible anymore. >>> - Left and right mouse button menus are loose in the desktop and are not >>> visibly connected to the applet, it is not visible any more after >>> clicking on it. >> >> GNOME doesn't have applets anymore, so complaining that your applet >> doesn't work great in GNOME is missing the point. >> > So what would your solution then be for such a workflow today when > applets aren't supported anymore? And of course one that would work for > other desktops, as maintaining N versions for N different desktops > doesn't scale. > >> I don't think we want a 'firewall' UI anyway; the firewall is not >> something most users can or should understand and make decisions of. >> >> What I envision is that we will notify the user when we connect to a new >> network, with a message along the lines of: >> > This has been planned before but has been refused. Coming up with this > again is funny also. > >> You have connected to an new network. If this is a public network, you >> may want to stop sharing your Music and disable Remote Logins. >> [Turn off sharing] [Continue sharing] [Sharing Preferences...] >> >> And we will remember this for when you later reconnect to the same >> network. >> > This is exactly what zones are for, but you do not have to alter > applications or logins. > >> When we have this infrastructure, we can use this information to also >> set the network zone to Home/Public - I don't think the long list of >> zones I showed above makes any sense. Either you are at home and >> comfortable sharing the network, or not. >> > If you're still interested to make this work I'm still willing to work > on this together with you and the gnome team to make sure everyone will > have the benefit of an out-of-box secure Fedora with an easy to use > firewall with a proper UI. > >> I've filed a bug for this: >> https://bugzilla.gnome.org/show_bug.cgi?id=727580 >> >> >> Matthias >> > > Thomas - firewalld maintainer > Thanks for the revelation, Thomas! Josh, I hope you read this. Is this really how we want to promote Fedora!? poma -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
