On Mon, 26 Aug 2019 at 15:25, Robert Marcano <robert@xxxxxxxxxxxxxxxxx> wrote: > > On 8/26/19 9:07 AM, mcatanzaro@xxxxxxxxx wrote: > > > > Well the thing is, blocknig ports tends to break applications that want > > to use those ports. We're not going to do that, period. It also doesn't > > really accomplish anything: either your app or service needs network > > access and you have whitelisted it (in which case the firewall provides > > no security), or it needs network access and you have not whitelisted it > > (in which case your firewall breaks your app/service). In no case does > > it increase your security without breaking your app, right? Unless you > > have malware installed (in which case, you have bigger problems than the > > firewall). Or unless you have a vulnerable network service installed > > that you don't want (in which case, uninstall it). > > This is a reasonable point of view, until you notice Linux desktops > evironments don't provide applications with a method to detect if they > are running on a private network or not (See Windows Home, Office, > Internet network settings). That's a very good point. When Windows connects to a new network, it asks whether it's a home connection (and then you want to share resources in the network) or it's a public connection (and everything should stay private). And I think that, if the user simply ignores the notification, the default is to consider it a public network (not 100% sure though). That's a good policy I think, and it would be great if NetworkManager could do that. I understand mcatanzaro's point of view, but it's quite narrow, because laptops not only connect to home networks to share resources, but also to many insecure public WiFis. I don't think we should rely on chasing upstream developers to behave in a *possibly* insecure environment. The system should abstract this for them and set proper firewall rules. Iñaki _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
