On Wed, Aug 28, 2019 at 11:23 PM John Harris <johnmh@xxxxxxxxxxxxx> wrote: > > On Wednesday, August 28, 2019 8:13:59 PM MST Christopher wrote: > > The default firewall config affects every user of that edition, even > > if they never use GNOME (or even use graphical boot). So, I don't know > > if this would be adequate. > > This only affects GNOME users. Workstation = GNOME Spin. No, the default firewalld zone affects all Fedora Workstation users, because firewalld runs outside of GNOME. Just because a user uses the Workstation Edition doesn't mean they're running GNOME... you can still run Cinnamon, XFCE, MATE, KDE, (or no graphical environment at all) using the Workstation Edition. It's just that GNOME is the default. So, this isn't a GNOME-specific issue. This is a Workstation Edition issue with /etc/firewalld/firewalld.conf's DefaultZone option. > > Unless I'm mistaken, and that installer is a generic Anaconda installer, where > users can select the end product they want installed, in which case I'd have > to ask why in the world that config would get pulled into the resulting > system.. The configuration is being set in the resulting system by the firewalld.spec itself when the firewalld RPM is installed: See https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/firewalld.spec#_122-136 and https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/firewalld.spec#_154-174 and https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/FedoraWorkstation.xml#_7-9 For comparison, the FedoraServer.xml is much more secure: https://src.fedoraproject.org/rpms/firewalld/blob/9ef9382b5/f/FedoraServer.xml Funny, the FedoraServer.xml file still has a description "For use in public areas" while FedoraWorkstation.xml does not... as if servers are more likely than workstations to travel to "public areas" often. :) I know it's because the server zone was derived from the public zone, which has that description, but it is still amusing. FWIW, I actually prefer the public zone on my Workstation installs... and... it's actually the default upstream. Honestly, I'd prefer we just stick to that across all Editions/Spins. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
