Przemek Klosowski wrote:
> I think that we should start with the low hanging fruit and simplify the
> firewall zones to two : a public, restricted one and a home/private with
> more ports open; selected by user for each new interface.
Those 2 zones are basically what is defined now with that Workstation
configuration, the problem is that the default is the trusted zone, whereas
the default should be untrusted. (Secure by default.) And I also disagree
that opening ALL unprivileged ports is a sane implementation of the
home/private zone, it's trusting it almost completely.
And finally, I believe that if we do ship a trusted zone in Fedora (which,
as per the above, should NOT be the default as it is now in Workstation), it
should be defined by the firewalld maintainer(s) (the current one was
defined by the Workstation WG) and shipped by the stock firewalld package
(not a product-specific subpackage). Doing this per product is a totally
broken approach.
Kevin Kofler
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
