Desktop issues discussion proposal

Brent Fox bfox at redhat.com
Fri Apr 23 15:51:51 UTC 2004 

On Thu, 2004-04-22 at 19:24, Havoc Pennington wrote:
> On Thu, 2004-04-22 at 16:50, jludwig wrote:
> > This would also be what I would like to see. For example, every time I
> > upgrade or load a system I get the "out of the box" firewall rules
> > without any other option. This is fine for average desktops and newbees,
> > but causes my extra configuration work.
> 
> I don't think more installer options will happen - everyone is very in
> favor of kicking that stuff to firstboot or to config tools post-boot.

I'd like to see the firewall screen removed from anaconda.  The
installer would then disallow all incoming traffic by default with the
possible exception of ssh.  Then move the firewall screen to firstboot
so that if the system is ever compromised, it's because the user
specifically chose to open something up.  We should try to be secure by
default.

Having said that, I think we could improve the firewall screen a bit. 
Users moving over from Windows have no idea what "SSH" or "SMTP"
connections are or why they would want to enable them.  Other services
in the list like "Telnet" should probably be removed since no one in
their right mind should use telnet anymore.

Of course, kickstart will still be there for people who have highly
customized configurations and need to roll them out to multiple
machines.

Cheers,
   Brent


> If you want to avoid manually configuring systems, what you want is
> kickstart.
> 
> For the firewall example specifically, there's no real reason firewalls
> on most systems should even _require_ configuration - we know what
> services are up, we should open those ports and close the other ports.
> On a desktop, that probably means everything is closed. If someone
> starts a service, the initscript or whatever can open the port.
> If you don't want a port open, stop the service.
> 
> Yes, some services can serve both local and remote users. Let those two
> aspects be started and stopped separately. "[ ] Receive print jobs from
> this machine" "[ ] Receive print jobs from other machines" - if both are
> unchecked, no print daemon starts.
> 
> But of course leave the config file, so if you really want some other
> firewall config, or are setting up a machine whose purpose is to be a
> firewall, rather than to be firewalled, you can create that config.
> And there might be a GUI for creating a custom firewall, covering common
> use-cases for that.
> 
> Havoc
> 
>

More information about the Fedora-desktop-list mailing list