On 12/09/2014 03:57 PM, Christian Schaller wrote:




----- Original Message -----
From: "Brian Wheeler" <bdwhe...@indiana.edu>
To: devel@lists.fedoraproject.org
Sent: Tuesday, December 9, 2014 9:18:47 AM
Subject: Re: "Workstation" Product defaults to wide-open firewall

On 12/09/2014 08:50 AM, Richard Hughes wrote:



On 9 December 2014 at 13:39, Michael Catanzaro <mcatanz...@gnome.org> wrote:



So your challenge is to find an alternative default that
supports it.
I'd go even further. I don't think the people writing the vast number
of lengthy posts on this thread actually want to *use* workstation,
with the possible exception of Bastien who's having to defend
something he shouldn't have to. Reindl probably should just use the
server spin, or be prepared to actually configure his box to do what
he wants to be 100% paranoid and unusable for anything less than a
technical user. If you don't like what workstation has decided to do,
use another target, or a different distro entirely (like CentOS). If
you want to change how workstation is designed, join the working group
and please actually talk to people there. I think it's misguided to
think that hurling insults here is going to achieve change.

I think a lot of people also need to remember that workstation isn't
built for them, and that's okay. If you know how to configure iptables
then that's fine, but I'm happy to admit I don't, and normally just
switch off the firewall entirely so I can get stuff done. F21 will be
more secure for me, not less.

Ok, so what product/spin am I supposed to use? I'm a RHEL sysadmin but I use
Fedora on my desktop & laptop. I expect the firewall to be on so when I
evaluate a new piece of software or do a bit of network development I don't
inadvertently increase my exposure. I also expect things to work with the
minimum amount of fuss.

So it looks like my choices boil down to:
* Use the workstation project and spend a bunch of time locking it down to
what would be reasonable default for the networks I use -- and hope I don't
miss anything.

Well I think it is hard for anyone to guess what would be reasonable defaults 
for
you specifically, any default is by its nature just targeting an generic
person, which might or might not be a lot like you.

But if you are aware and understand the finer details here then it isn't that
big a job to change it, you should be able to go into the network manager, 
choose your
connection, choose 'identity' (should probably be moved to be under security?) 
and change
the zone for your network to whatever suits you better.


Please change the default zone, otherwise any new connection will get assigned to the weak zone again in the first place.

firewall-cmd --set-default-zone=public

This will change the default to public. All connections that are not explicitly bound to another zone will be automatically assigned to the default zone.

Thomas

Christian

* Use the server product and manually configure all of the workstation stuff
so I get a usable system

Neither of those choices seem reasonable to me, especially compared to the
status quo: a fully configured workstation where I open new ports as I
increase functionality.



--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Reply via email to