Hey Matt, A few corrections for the portion about the workstation firewall. ----- Original Message ----- <snip> > Fedora Workstation firewall discussion > -------------------------------------- > > This week’s big devel-list thread concerned the default firewall > settings in Fedora Workstation. The Fedora Workstation Working Group was > not happy with the user experience offered by blocking incoming “high > ports” by default. Out of the box, nothing is listening on these, but if > one installs software that expects to, "If one tries to use the already installed software" > it won’t work, and because we > don’t have a good way yet to tie *attempts* to access ports to listening > applications and communicate that to the user, the resulting failure is > invisible. Even if we could do that in a secure way, that's not the way we'd want to implement it. > On the other hand, if you install something and it starts listening and > you didn’t know that, If you install something from Fedora and it does that, then it's a bug in the application. > that’s *also* invisible. So, pretty much everyone > recognizes this as a not ideal situation. Everyone involved in the > discussion also is concerned with enhancing user security in practice — > the question is just how to best get there from an imperfect state. > Originally, the Workstation WG asked to disable the firewall entirely. That wasn't the Workstation WG, it was earlier, for the Desktop spin. > FESCo asked instead that it be left available, possibly with a > less-restrictive out-of-the-box configuration — the path taken for F21. > > If you’re not running Workstation, this doesn’t affect you. If you are, > and would like a different configuration, run the firewall configuration > tool and either edit the Fedora Workstation zone or change the default > zone. (There’s a long list of options, but “public” is a > generally-restrictive choice.) > > You can also change the per-network zone. Unfortunately currently wired > networks are all considered as one per interface, but wireless networks > are distinguished individually. This can be done in a number of ways, > but the easiest is to run the network configuration tool (in GNOME > control center — press the overview key and start typing “network”), > select the wifi network in question, press the little gear icon next to > it, go down to Identity (?!), and choose the appropriate firewall zone. > (Again, there’s a long list — go back to the firewall config tool to see > exactly what they all do.) Thank you for pointing out the main reason why the zones can't ever be a user-facing concept ;) > This is clearly, not the most friendly approach; it’s my understanding > that the desktop designers, network tools team, and security team are > going to work together to develop a better overall solution for Fedora > 22 and beyond. This was supposed to be the "better overall solution" with the next steps coming from application sandboxing. > Overall, the mailing list thread stayed relatively positive and > constructive and avoided personal attacks, although there were some > accusations of bad faith actions which do not seem warranted based on > the actual history. That could translate as "It wasn't as bad as a systemd flamewar". That's not a very high standard to set though. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
