Re: Fedora Workstation and disabled by default firewall

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/28/19 1:01 AM, Adam Williamson wrote:
> On Tue, 2019-08-27 at 15:06 +0200, Jiri Eischmann wrote:
>> mcatanzaro@xxxxxxxxx píše v Út 27. 08. 2019 v 15:07 +0300:
>>> On Tue, Aug 27, 2019 at 4:22 AM, John Harris <johnmh@xxxxxxxxxxxxx>
>>> wrote:
>>>> No, that is not how this works, at all. First, let's go ahead and
>>>> address the 
>>>> idea that "if the firewall blocks it, the app breaks, so it's the
>>>> firewall's 
>>>> fault": It's not. If the firewall has not been opened, that just
>>>> means it 
>>>> can't be accessed by remote systems until you EXPLICITLY open that
>>>> port, with 
>>>> the correct protocol, on your firewall. That's FINE. That's how
>>>> it's designed 
>>>> to work. There's nothing wrong with that.
>>>>
>>>> This means that the system administrator (or owner, if this is
>>>> some 
>>>> individual's personal system) must allow the port to be accessed
>>>> remotely, 
>>>> before the app can be reached remotely, increasing the security of
>>>> the system.
>>>
>>> You've already lost me here. Sorry, but we do not and will not
>>> install a firewall GUI that exposes complex technical details like
>>> port numbers. Expecting users to edit firewall rules to use their
>>> apps is ridiculous and I'm not really interested in debating it.
>>
>> Yeah, when you ask users questions they're not qualified to answer,
>> you're just creating bad design.
>> I always imagine my mom (who BTW has been a Fedora user for years) how
>> she'd deal with that and I can't really imagine her opening/closing
>> firewall ports. She'd be puzzled even by "Do you trust this network?"
>> and would probably just click "Yes" to make it go away. No additional
>> security, just annoying UX.
> 
> However, Fedora Workstation is an edition. Which means it has a
> *policy-defined* target audience. That target audience is defined here:
> https://fedoraproject.org/wiki/Workstation/Workstation_PRD#Target_Audience
> 
> Case 1: "Engineering/CS student"
> Case 2: "Independent Developer"
> Case 3: "Small Company Developer"
> Case 4: "Developer in a Large Organization"
> 
> Are those people we believe do not understand the concepts associated
> with firewalls?
> 

Let's get real. It doesn't matter if you understand firewalls or not.
Reality is that developers run applications they are working on in
development configurations on their local system. With some luck they
are properly configured but as far as I know most dev setups, they are
not considered secure or "production-ready" and that for good reasons.

But what do we do after a long day? We take our notebook and close the
lid at the end of a long day or when we head over to this annoying
meeting with the new customer. We probably don't close and shut down all
services we are developing/testing in background. Then we head over
there, open the notebook and of course need some kind of
presentation/picture/data we stored on the cloud storage provider of our
trust. We connect to the public/unknown WiFi and *boom* suddenly we have
unexpected open ports on a public network we didn't to expose them to.

This is not something that people do on purpose but it simply happens.
It's how we use devices nowadays.

So I guess it would already improve the situation when we would only
open the ports on install, which by far isn't a perfect solution but
would already prevent the scenario mentioned above. Which appears no
matter if someone is aware of firewall concepts or not.

Let's work on solving this problem for everyone, because it's a general
problem.

-- 
Signed
Sheogorath

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux