What I HATE about F11

Lennart Poettering mzerqung at 0pointer.de
Sun Jun 14 18:08:31 UTC 2009 

On Sun, 14.06.09 18:34, Matthew Garrett (mjg at redhat.com) wrote:

> > So, solving this is pretty easy, even for newbies. But I agree that the
> > error message will not help someone without advanced knowledge. Although
> > I think people running Samba generally will know where to look for the
> > problem.
> 
> I think this is actually a problem that needs solving. We have several 
> network services that are either installed by default or might be 
> expected to be part of a standard setup, but which don't work because of 
> the default firewall rules. The Anaconda people have (sensibly, IMHO) 
> refused to simply add further exceptions to the firewall policy.
> 
> So, what should happen here? Should we leave the firewall enabled in 
> these cases* by default and require admins to open them? If so, is there 
> any way that we can make this easier in some Packagekit-oriented manner? 
> If not, how should we define that packages indicate that they need ports 
> opened? Should this be handled at install time or run time?

Gah. Allowing packages to pierce the firewall just makes the firewall
redundant.

I still think that the current firewall situation on Fedora is pretty
much broken. It's a bit like SELinux: it's one of the first features
most people disable.

Fedora is the only big distro that enables a firewall by default and
thus creates a lot of trouble for many users. I think I mentioned that
before, and I can only repeat it here: we should not ship a firewall
enabled by default, like we currently do. If an application cannot be
trusted then it should not be allowed to listen on a port by default
in the first place. A firewall is an extra layer of security that
simply hides the actual problem.

Now, it's my impression that some people who control the packages in
question and believe in all this security theater more than I do, seem
to be unwilling to loosen the default firewall. So as a bit of a
compromise here's what I suggest:

Add a very simple per-interface firewall profile system to
NetworkManager. Something that is easily reachable from the NM
applet. Something with just two simple profiles by default: one that
allows everything for use in trusted networks, and one that just
allows DNS, HTTP, VPN for use in untrusted networks (i.e. airport
APs). Admins could then add more profiles if they feel the need for
it. And one could bind those profiles to specific networks, so that
people would just have to configure them once. Of course, as
mentioned, these firewall profiles need to be per-interface so that a
vpn interface can be trusted, while the underlying WLAN iface doesn't
have to be trusted.

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4

More information about the fedora-devel-list mailing list