> On 17 Apr 2014, at 2:26, Thomas Woerner <twoer...@redhat.com> wrote: > >> On 04/16/2014 06:43 PM, Tomasz Torcz wrote: >> On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: >>>>> I think what you are describing could be probably realized with SELinux >>>>> today, just with a special setroubleshoot frontend that catches the AVC >>>>> when the service tries to listen and ask the user if he wants to allow >>>>> it. >>>>> >>>>> However this would still not be completely sufficient as you completely >>>>> lack any context about what network you are operating on. >>>>> >>>>> The firewall's purpose is to block access to local services on bad >>>>> networks too, it is not a binary open/close equation when you have >>>>> machines (laptops) that roam across a variety of networks. >>>>> >>>>> Simo. >>>> Nothing worse then asking Users Security related questions about opening >>>> firewall ports. >>>> Users will just answer yes, whether or not they are being hacked. >>>> >>>> firefox wants to listen on port 9900 in order to see this page, OK? >>> >>> >>> Which is not what I proposed Dan. >>> >>> I in fact said we should *NOT* ask per application. >>> >>> What we should ask is one single question, upon connecting to an unknown >>> network: "Is this network trusted ?" >>> >>> If yes you open up to the local network. If no you keep ports not >>> accessible on that network. >> >> But firewalld currently lacks flexibility to express this fully. >> Firewalld only classifies ”whole” interfaces, which breaks badly in >> many situations. Consider following scenario: VM with single >> network interface. This single interface has RFC1918 IPv4 address AND >> globally accesible IPv6 address. How it should be described >> in firewalld? > firewalld supports to have rules for IPv4 and/or IPv6. > >> – for any IPv4 incoming connection, this interface is in ”trusted” (”home”? >> I never know what home/work/dmz/etc really mean) > You can full customize all zones. This is the reason there is no simple > description for each zone. > >> – for IPv6 incoming connection from 2001:6a0:138:1::/64 subnet, the zone >> is still ”trusted” >> – for any other incoming connection the zone is ”public” (I hope this >> means ”general Internet”). >> >> Above is trivial in iptables, but impossible with firewalld's zones. > firewalld also has the ability to bind zones to source addresses and address > ranges. This might help here.
You should define the trust based on the current subnet? Also links to documentation on this please for source binding -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct