----- Original Message ----- > From: "Robert Marcano" <robert@xxxxxxxxxxxxxxxxx> > To: "Development discussions related to Fedora" <devel@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Tuesday, December 9, 2014 8:57:51 AM > Subject: Re: "Workstation" Product defaults to wide-open firewall > > On 12/09/2014 08:53 AM, Reindl Harald wrote: > > > > > > Am 09.12.2014 um 14:16 schrieb Bastien Nocera: > >>> On Tue, Dec 09, 2014 at 12:54:59PM +0100, Gerd Hoffmann wrote: > >>>> Why we can't have something like this? And if you don't want a popup > >>>> asking, have something in the NetworkManager applet menu, where people > >>>> can easily find the switch without having to search for it? A "[x] > >>>> allow sharing" checkbox? A firewall zone selector? > >>> > >>> We can — we just need someone to design and write it. > >> > >> A design for something that we don't want to implement. > > > > and that is the point - you do not want and care because you seem to > > think users are too stupid to make their own decisions - you know what > > Linus said to that in direction of GNOME? > > > >> This was one of the > >> options when implementing the feature, one that we didn't pursue. We > >> chose > >> instead to use "user intent" as a way to do this. > >> > >> If you start sharing something on a network, then we consider it safe > >> to share. > > > > the problem is that you don't know *who* or *what* opened the port > > Exactly, I think some people think we already reached the utopic world, > when everyone install FLOSS applications from the repositories, and no > one uses closed source applications, or worse where all sharing is done > using GNOME control panel, and there isn't applications that doesn't > take into account the GNOME way of doing things. > > What I see frequently are applications that are installed from outside > the Fedora repositories, that can be forced to behave like Fedora > packaging rules, with secure defaults before sharing, being installed > and the user that don't know much about firewall settings but understand > that the firewall is active, then think: I feel "secure" because I know > the firewall is blocking external requests. Speaking from personal experience my thoughts was never 'I feel so safe', instead I just felt annoyed that for the gazilliont time things didn't work due to the firewall blocking the application or service or I was trying to run. And after trying to Google and only finding Ubuntu specific commands that never seemed to work or commands which was only relevant to Fedora 12, I tended to disable the firewall while asking myself while after all these years things still sucked as much. Christian > and then in that utopic world things fail, for example, Fedora packaging > rules prefer that packages are installed with sensitive defaults, I > reported a bug about all cron email output being sent by default and it > was discarded as a security bug (pulled by an update) > > https://bugzilla.redhat.com/show_bug.cgi?id=1157727 > https://bugzilla.redhat.com/show_bug.cgi?id=1158493 > https://lists.fedoraproject.org/pipermail/devel/2014-October/203781.html > > This is no open port, but shows that packages can have bugs and > something that is closed by default today, can in the future be pulled > as an update and start sharing things. Those are bugs, true, but the > idea of opening the firewall entirely defeats the measure of defense > already in place. To me it sounds like disabling SELinux on workstation > because people find it difficult and decide to disable it instead. > > The problem that is being tried to "solve" is that people choose to > disable the firewall, Why not add a simple option to the GNOME sharing > tools to change the firewall zone to this one where ports >1024 are open > when the user decide to share something. with the possibility to > selecting no for those people that only want to open the only the needed > ports? > > Note: I hope to not be called a troll here (joke, someone will understand) > > > > >> If you connect to a public unencrypted Wi-Fi, you won't have the > >> option to. If > >> you connect to an encrypted Wi-Fi where sharing your holiday photos > >> isn't acceptable > >> then it won't, because you didn't ask it to in the first place > > > > besides suspend / move machine > > > > a sane firewall design (sadly Windows has that in the meantime) is that > > if i open a port in my homenetwork, supsend the machine and wake it up > > in a foreign network ports are closed until i decide to open them there > > too, but Fedora goes the easy way "who cares how and why as long things > > appear to work" > > > > *who* told you that people don't share things *unintentional* by a wrong > > click which is *not* a problem until you decide to open ports > > > > > > > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
