On 8/27/19 3:25 AM, John Harris wrote: > On Monday, August 26, 2019 7:25:27 AM MST Iñaki Ucar wrote: >> On Mon, 26 Aug 2019 at 15:25, Robert Marcano <robert@xxxxxxxxxxxxxxxxx> >> wrote: >>> >>> >>> On 8/26/19 9:07 AM, mcatanzaro@xxxxxxxxx wrote: >>> >>>> >>>> >>>> Well the thing is, blocknig ports tends to break applications that want >>>> to use those ports. We're not going to do that, period. It also doesn't >>>> really accomplish anything: either your app or service needs network >>>> access and you have whitelisted it (in which case the firewall provides >>>> no security), or it needs network access and you have not whitelisted >>>> it >>>> (in which case your firewall breaks your app/service). In no case does >>>> it increase your security without breaking your app, right? Unless you >>>> have malware installed (in which case, you have bigger problems than >>>> the >>>> firewall). Or unless you have a vulnerable network service installed >>>> that you don't want (in which case, uninstall it). >>> >>> >>> >>> This is a reasonable point of view, until you notice Linux desktops >>> evironments don't provide applications with a method to detect if they >>> are running on a private network or not (See Windows Home, Office, >>> Internet network settings). >> >> >> That's a very good point. When Windows connects to a new network, it >> asks whether it's a home connection (and then you want to share >> resources in the network) or it's a public connection (and everything >> should stay private). And I think that, if the user simply ignores the >> notification, the default is to consider it a public network (not 100% >> sure though). That's a good policy I think, and it would be great if >> NetworkManager could do that. >> >> I understand mcatanzaro's point of view, but it's quite narrow, >> because laptops not only connect to home networks to share resources, >> but also to many insecure public WiFis. I don't think we should rely >> on chasing upstream developers to behave in a *possibly* insecure >> environment. The system should abstract this for them and set proper >> firewall rules. > > Keep in mind that even Windows doesn't address the use case where you set it > to Home or Business, or whatever the private setting is, and then plug in a > connection to a public network. It thinks it's still the same. > I had something back in mind that tickled, when I read this. Because I remember that Windows 7 did something with the default Gateway mac address, so I did some digging. https://web.archive.org/web/20170405202217/https://blogs.technet.microsoft.com/networking/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles/ There is quite some documentation about how Windows determines/determined when it was connected to a different network (being it by wire or WiFi). Even when this information is might outdated when looking at Windows 10. Hope that helps to provide some inspiration towards solving this problem and create better Firewall rule sets :) (But in general it sounds like something that should go into NetworkManager and could be useful for easier network profiles) -- Signed Sheogorath
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx