On 04/16/2014 01:11 AM, William Brown wrote:
On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote:
On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote:
What you need is clearly different "zones" that the user can configure
and associate to networks, with the default being that you trust nothing
and everything is firewalled when you roam a new network.
We have that already with zones in firewalld.
Kindof. If I open the network panel and find the 'Firewall zone' combo,
I am presented with a choice of:
Default
block
dmz
drop
external
home
internal
public
trusted
work
This list is far too long, and none of it is translated or even properly
capitalized. And there is no indication at all why one would choose any
zone over any other, and what consequences it has.
Agreed
Perhaps shorten to:
block
public
work
home
Oh yes. And when accompanied by a short explanation of what happens (how
much is shared/blocked, what you may need to do manually to override the
settings if setting up a service etc.), I think the user experience
leaves little to be desired.
The other network zone names really seem targeted at servers. Maybe each
zone needs an attr that states if it's a workstation zone or not to
determine if it joins this list?
So, what you have currently is a raw bit of infrastructure that is
directly exposed to the end user, without any design or integration.
Additionally, the command line syntax to manage firewalld is obscene.
(maybe slightly off topic ...)
firewall-cmd --zone=foo --add-port=12345/tcp --permanent
It doesn't autocomplete in bash either (zsh at least prefills the -- and
gives you some options, but it's not great)
At least for the "power" user on a workstation, fixing this syntax to at
the minimum remove all the -- would be great. Follow that by nm-cli
style short hand, and I would be a happy person. You could do:
firewalld-cmd z=foo a-p=12345/tcp perm
Because this syntax is "hard" I think that it even excludes power users
from wanting to make their firewall work on their system.
I don't think we want a 'firewall' UI anyway; the firewall is not
something most users can or should understand and make decisions of.
Never take decisions away from users.
The OSX style firewall works well when enabled. It blocks all by
default, then when an application wants a listening port, the user is
prompted to allow or deny it. I think this is a good model.
What I envision is that we will notify the user when we connect to a new
network, with a message along the lines of:
You have connected to an new network. If this is a public network, you
may want to stop sharing your Music and disable Remote Logins.
[Turn off sharing] [Continue sharing] [Sharing Preferences...]
And we will remember this for when you later reconnect to the same
network.
Why not set the firewall zone when you join the network? And the above
prompts alter that currently active zone?
I've filed a bug for this:
https://bugzilla.gnome.org/show_bug.cgi?id=727580
Matthias
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
