Re: F21 System Wide Change: Workstation: Disable firewall

On Apr 23, 2014 4:29 AM, "Reindl Harald" wrote: > > > > Am 23.04.2014 07:52, schrieb Liam: > > On Apr 22, 2014 5:09 AM, "Christian Schaller" wrote: > >> I think this is a misunderstanding of who a developer might be and why they choose > >> a system. Those of my friends and acquaintances, who are

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, 2014-04-23 at 11:37 +0200, Thomas Woerner wrote: > There have been plans to query for the zone that should be used for a > connection before activating this connection for the first time. > There > are even sketches for this. But as I said before, this has been > rejected > by the deskto

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/22/2014 09:17 PM, Russell Doty wrote: On Tue, 2014-04-22 at 15:04 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: On Tue, 2014-04-22 at 19:01 +0200

Re: F21 System Wide Change: Workstation: Disable firewall

Am 23.04.2014 07:52, schrieb Liam: > On Apr 22, 2014 5:09 AM, "Christian Schaller" wrote: >> I think this is a misunderstanding of who a developer might be and why they >> choose >> a system. Those of my friends and acquaintances, who are developers and who >> over the >> years have decided to

Re: F21 System Wide Change: Workstation: Disable firewall

On Apr 22, 2014 5:09 AM, "Christian Schaller" wrote: > > > > > > - Original Message - > > From: "Liam" > > To: "Development discussions related to Fedora" < devel@lists.fedoraproject.org> > > Sent: Monday, April 2

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-22 at 15:04 -0400, Simo Sorce wrote: > On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote: > > On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: > > > On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: > > > > On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: > > >

Re: F21 System Wide Change: Workstation: Disable firewall

Miloslav Trmač (m...@volny.cz) said: > AFAICS this discussion basically says "applications can't depend on > firewalld, therefore they can't use firewalld APIs, therefore they wouldn't > know whether the firewall restircts them, therefore firewalld must be > removed". > > The only given reason wh

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-22 at 14:41 -0400, Russell Doty wrote: > On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: > > On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: > > > On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: > > > > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher : > > > >

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote: > On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: > > On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: > > > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher : > > > 3) Recovery and auditing are more important than prevention.

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote: > On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: > > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher : > > 3) Recovery and auditing are more important than prevention. > > > > This is only true for large managed enterprises, whe

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trmač wrote: > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher : > 3) Recovery and auditing are more important than prevention. > > This is only true for large managed enterprises, where recovery is > possible in the first place (how many people don

Re: F21 System Wide Change: Workstation: Disable firewall

On 22 April 2014 05:40, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Since you missed the link: https://www.youtube.com/watch?v=jYGgVUYjXQ8 > > I too recommend that everyone gives it a look. It is very insightful > and helpful in understanding what people really

Re: F21 System Wide Change: Workstation: Disable firewall

Am 22.04.2014 19:01, schrieb Miloslav Trmač: > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher >: > > 3) Recovery and auditing are more important than prevention. > > This is /only/ true for large managed enterprises, where recovery is possible > in the first plac

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-22 13:40 GMT+02:00 Stephen Gallagher : > 3) Recovery and auditing are more important than prevention. > This is *only* true for large managed enterprises, where recovery is possible in the first place (how many people don't have good backups?), and prevention is bordering on impossible (w

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-20 23:20 GMT+02:00 Lars Seipel : > On Thu, Apr 17, 2014 at 11:44:58PM +0200, Miloslav Trmač wrote: > > We don't, actually. *Only* applications running in a session of a member > > of the wheel group would have that right, and those applications are > pretty > > much root-equivalent anyway

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-20 22:56 GMT+02:00 Reindl Harald : > than just install one of the already available by default > unsecure operating systems instead damage Linux and bring > it in the same bad shape Note that there *aren't* any major "available by default unsecure operating systems" nowadays: Windows has

Friends foundation [was Re: F21 System Wide Change: Workstation: Disable firewall]

On Tue, Apr 22, 2014 at 05:05:24AM -0400, Christian Schaller wrote: > As a sidenote, there has been a lot of discussions on this an other Fedora > lists > over the last few Months where people have loudly come out against what they > see > as infringements on the Freedom part of the four F's. Hav

Re: F21 System Wide Change: Workstation: Disable firewall

On Apr 22, 2014 3:05 AM, "Christian Schaller" wrote: ... > > As a sidenote, there has been a lot of discussions on this an other Fedora lists > over the last few Months where people have loudly come out against what they see > as infringements on the Freedom part of the four F's. Having seen this

Re: F21 System Wide Change: Workstation: Disable firewall

- Original Message - > From: "Stephen Gallagher" > To: devel@lists.fedoraproject.org > Sent: Tuesday, April 22, 2014 1:40:05 PM > Subject: Re: F21 System Wide Change: Workstation: Disable firewall > > -BEGIN PGP SIGNED MESSAGE- > Hash: S

Re: F21 System Wide Change: Workstation: Disable firewall

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/22/2014 05:43 AM, Christian Schaller wrote: > > > > > - Original Message - >> From: "Thomas Woerner" To: >> devel@lists.fedoraproject.org Sent: Tuesday, April 22, 2014 >> 11:23:46 AM Subje

Re: F21 System Wide Change: Workstation: Disable firewall

- Original Message - > From: "Thomas Woerner" > To: devel@lists.fedoraproject.org > Sent: Tuesday, April 22, 2014 11:23:46 AM > Subject: Re: F21 System Wide Change: Workstation: Disable firewall > > On 04/21/2014 12:22 AM, drago01 wrote: > > On Mon

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, Apr 22, 2014 at 11:23 AM, Thomas Woerner wrote: > On 04/21/2014 12:22 AM, drago01 wrote: >> >> On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald >> wrote: >> >>> * there are network services enabled by default >> >> >> Again that's a bug and a viloation of the guidelines. Which services >>

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/21/2014 12:22 AM, drago01 wrote: On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald wrote: * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. * avahi is one of them You keep list

Re: F21 System Wide Change: Workstation: Disable firewall

- Original Message - > From: "Liam" > To: "Development discussions related to Fedora" > > Sent: Monday, April 21, 2014 10:10:13 PM > Subject: Re: F21 System Wide Change: Workstation: Disable firewall > > > > > On Apr 21, 2

Re: F21 System Wide Change: Workstation: Disable firewall

On Apr 21, 2014 4:32 AM, "drago01" wrote: > > On Mon, Apr 21, 2014 at 3:49 AM, Liam wrote: > > Sent from mYphone > > > > > > On Apr 20, 2014 7:02 PM, "drago01" wrote: > >> > >> On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald > >> wrote: > >> > >> >> There have been other suggestions in this thr

Re: F21 System Wide Change: Workstation: Disable firewall

On Mon, Apr 21, 2014 at 4:25 AM, drago01 wrote: > On Mon, Apr 21, 2014 at 6:17 AM, Orcan Ogetbil wrote: >> On Sun, Apr 20, 2014 at 6:59 PM, drago01 wrote: >>> There is difference between a software developer, a sysadmin and a >>> user that simply wants to share his music with his family. The latte

Re: F21 System Wide Change: Workstation: Disable firewall

Am 21.04.2014 11:13, schrieb drago01: > On Mon, Apr 21, 2014 at 10:50 AM, Reindl Harald > wrote: >> Am 21.04.2014 10:25, schrieb drago01: >>> I did learn those things so did probably you and Harald but designing >>> an operating system that requires deep technical understanding to be >>> used is

Re: F21 System Wide Change: Workstation: Disable firewall

On Mon, Apr 21, 2014 at 10:50 AM, Reindl Harald wrote: > > > Am 21.04.2014 10:25, schrieb drago01: >> I did learn those things so did probably you and Harald but designing >> an operating system that requires deep technical understanding to be >> used is just a failure on our part > > you don't ge

Re: F21 System Wide Change: Workstation: Disable firewall

Am 21.04.2014 10:25, schrieb drago01: > I did learn those things so did probably you and Harald but designing > an operating system that requires deep technical understanding to be > used is just a failure on our part you don't get it - ship dangerous defaults is just a failure on our part the

Re: F21 System Wide Change: Workstation: Disable firewall

On Mon, Apr 21, 2014 at 3:49 AM, Liam wrote: > Sent from mYphone > > > On Apr 20, 2014 7:02 PM, "drago01" wrote: >> >> On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald >> wrote: >> >> >> There have been other suggestions in this thread that are helpful like >> >> the network zones thing (but we s

Re: F21 System Wide Change: Workstation: Disable firewall

On Mon, Apr 21, 2014 at 6:17 AM, Orcan Ogetbil wrote: > On Sun, Apr 20, 2014 at 6:59 PM, drago01 wrote: >> There is difference between a software developer, a sysadmin and a >> user that simply wants to share his music with his family. The latter >> should not have to learn about computer securi

Re: F21 System Wide Change: Workstation: Disable firewall

Am 21.04.2014 06:17, schrieb Orcan Ogetbil: > On Sun, Apr 20, 2014 at 6:59 PM, drago01 wrote: >> There is difference between a software developer, a sysadmin and a >> user that simply wants to share his music with his family. The latter >> should not have to learn about computer security to do i

Re: F21 System Wide Change: Workstation: Disable firewall

On Sun, Apr 20, 2014 at 6:59 PM, drago01 wrote: > There is difference between a software developer, a sysadmin and a > user that simply wants to share his music with his family. The latter > should not have to learn about computer security to do it, Why not? I lock my door every night before I

Re: F21 System Wide Change: Workstation: Disable firewall

Sent from mYphone On Apr 20, 2014 7:02 PM, "drago01" wrote: > > On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald wrote: > > >> There have been other suggestions in this thread that are helpful like > >> the network zones thing (but we still have too many zones) or enabling > >> services should mak

Re: F21 System Wide Change: Workstation: Disable firewall

Am 21.04.2014 00:59, schrieb drago01: > On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald > wrote: > >>> There have been other suggestions in this thread that are helpful like >>> the network zones thing (but we still have too many zones) or enabling >>> services should make them work i.e >>> ju

Re: F21 System Wide Change: Workstation: Disable firewall

On Mon, Apr 21, 2014 at 12:39 AM, Reindl Harald wrote: >> There have been other suggestions in this thread that are helpful like >> the network zones thing (but we still have too many zones) or enabling >> services should make them work i.e >> just enable the firewall rules. > > which make sense

Re: F21 System Wide Change: Workstation: Disable firewall

Am 21.04.2014 00:22, schrieb drago01: > On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald > wrote: > >> * there are network services enabled by default > > Again that's a bug and a viloation of the guidelines. Which services > are you talking about? > Please file bugs. please stop to prove eve

Re: F21 System Wide Change: Workstation: Disable firewall

On Mon, Apr 21, 2014 at 12:02 AM, Reindl Harald wrote: > * there are network services enabled by default Again that's a bug and a viloation of the guidelines. Which services are you talking about? Please file bugs. > * avahi is one of them You keep listing this as an example but avahi is not o

Re: F21 System Wide Change: Workstation: Disable firewall

Am 20.04.2014 23:44, schrieb drago01: > On Sun, Apr 20, 2014 at 10:56 PM, Reindl Harald > wrote: >> after you booted the new installed machine and open ports of >> possible vulnerable services which needs updatdes it is >> *too late* to enable the firewall for preventing already >> happened dam

Re: F21 System Wide Change: Workstation: Disable firewall

On Sun, Apr 20, 2014 at 11:20 PM, Lars Seipel wrote: > On Thu, Apr 17, 2014 at 11:44:58PM +0200, Miloslav Trmač wrote: >> We don't, actually. *Only* applications running in a session of a member >> of the wheel group would have that right, and those applications are pretty >> much root-equivalent

Re: F21 System Wide Change: Workstation: Disable firewall

On Sun, Apr 20, 2014 at 10:56 PM, Reindl Harald wrote: > after you booted the new installed machine and open ports of > possible vulnerable services which needs updatdes it is > *too late* to enable the firewall for preventing already > happened damaged Do you even know how backwards that reads?

Re: F21 System Wide Change: Workstation: Disable firewall

Guys, 1st April was a long time ago, stop this kind of stupidity. How in the earth would be a good idea to have the firewall disabled by default? I mean you're all graduate from college/university, right? You have the capacity to think, am I right? -- devel mailing list devel@lists.fedoraproject.

Re: F21 System Wide Change: Workstation: Disable firewall

On Thu, Apr 17, 2014 at 11:44:58PM +0200, Miloslav Trmač wrote: > We don't, actually. *Only* applications running in a session of a member > of the wheel group would have that right, and those applications are pretty > much root-equivalent anyway. (Many GNOME users probably use such a setup, > bu

Re: F21 System Wide Change: Workstation: Disable firewall

Am 20.04.2014 22:44, schrieb drago01: > On Sun, Apr 20, 2014 at 10:15 PM, Reindl Harald > wrote: >> Am 20.04.2014 20:19, schrieb drago01: >>> On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler >>> wrote: Christian Schaller wrote: > where we at the same time need to allow each user to have

Re: F21 System Wide Change: Workstation: Disable firewall

On Sun, Apr 20, 2014 at 10:15 PM, Reindl Harald wrote: > > > Am 20.04.2014 20:19, schrieb drago01: >> On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler wrote: >>> Christian Schaller wrote: where we at the same time need to allow each user to have any port they desire opened for traffic to m

Re: F21 System Wide Change: Workstation: Disable firewall

Am 20.04.2014 20:19, schrieb drago01: > On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler wrote: >> Christian Schaller wrote: >>> where we at the same time need to allow each user to have any port they >>> desire opened for traffic to make sure things like DLNA or Chromecast >>> works. >> >> Such th

Re: F21 System Wide Change: Workstation: Disable firewall

On Sun, Apr 20, 2014 at 6:53 PM, Kevin Kofler wrote: > Christian Schaller wrote: >> where we at the same time need to allow each user to have any port they >> desire opened for traffic to make sure things like DLNA or Chromecast >> works. > > Such things MUST NOT be enabled by default. No one sug

Re: F21 System Wide Change: Workstation: Disable firewall

Jaroslav Reznik wrote, on behalf of Matthias Clasen: > The firewalld service will not be enabled by default in the workstation > product. WTF? So we're going to disable security by default? We are forcing such a PITA as SELinux that breaks applications on all users by default, yet we will let sy

Re: F21 System Wide Change: Workstation: Disable firewall

Christian Schaller wrote: > where we at the same time need to allow each user to have any port they > desire opened for traffic to make sure things like DLNA or Chromecast > works. Such things MUST NOT be enabled by default. Kevin Kofler -- devel mailing list devel@lists.fedoraproject.o

Re: F21 System Wide Change: Workstation: Disable firewall

On Apr 15, 2014 1:02 PM, "Jaroslav Reznik" wrote: > > = Proposed System Wide Change: Workstation: Disable firewall = > https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall > > Change owner(s): Matthias Clasen > > The firewalld service will not be enabled by default in the workstati

Re: F21 System Wide Change: Workstation: Disable firewall

> On 17 Apr 2014, at 2:26, Thomas Woerner wrote: > >> On 04/16/2014 06:43 PM, Tomasz Torcz wrote: >> On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: > I think what you are describing could be probably realized with SELinux > today, just with a special setroubleshoot frontend

Re: F21 System Wide Change: Workstation: Disable firewall

> On 18 Apr 2014, at 7:37, Mattia Verga wrote: > > +1 > > Can't UPnP be used also for opening ports in iptables firewall (maybe > developing some tools for that)? Upnp is almost always abused. Please don't use it. > > Il 15/04/2014 15:42, Simone Caronni ha scritto: >>> On 15 April 2014 1

Re: F21 System Wide Change: Workstation: Disable firewall

+1 Can't UPnP be used also for opening ports in iptables firewall (maybe developing some tools for that)? Il 15/04/2014 15:42, Simone Caronni ha scritto: On 15 April 2014 14:35, Christopher > wrote: Whoa, the fact that the Firewall is on by default in Fedora (

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-17 23:51 GMT+02:00 Chuck Anderson : > > To be perfectly clear, vast majority of network applications work > perfectly > > fine. Network *servers* need manual intervention. > > Not just servers. Clients that do broadcast or multicast discovery of > other systems acting as servers can also

Re: F21 System Wide Change: Workstation: Disable firewall

On Thu, Apr 17, 2014 at 11:42:30PM +0200, Miloslav Trmač wrote: > Hello, > 2014-04-16 14:28 GMT+02:00 Josh Boyer : > > > For a quick summary: > > > > 1) With a firewall enabled, network services don't work without manual > > intervention. > > > > To be perfectly clear, vast majority of network ap

Re: F21 System Wide Change: Workstation: Disable firewall

Hello, 2014-04-15 16:28 GMT+02:00 Christian Schaller : > - Original Message - > > From: "Reindl Harald" > > To: devel@lists.fedoraproject.org > > Sent: Tuesday, April 15, 2014 11:40:20 AM > > Subject: Re: F21 System Wide Change: Workstation: Disable

Re: F21 System Wide Change: Workstation: Disable firewall

Hello, 2014-04-15 11:01 GMT+02:00 Jaroslav Reznik : > = Proposed System Wide Change: Workstation: Disable firewall = > https://fedoraproject.org/wiki/Changes/Workstation_Disable_Firewall > > == Detailed Description == > The current level of integration into the desktop and applications does not >

Re: F21 System Wide Change: Workstation: Disable firewall

Hello, 2014-04-16 14:28 GMT+02:00 Josh Boyer : > For a quick summary: > > 1) With a firewall enabled, network services don't work without manual > intervention. > To be perfectly clear, vast majority of network applications work perfectly fine. Network *servers* need manual intervention. 2) Wit

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-16 1:28 GMT+02:00 Simo Sorce : > if the users wants more flexibility then they would create new > zones (like home, work, cafe, library, etc..) perhaps by cloning > existing ones and then tweak the list of applications allowed to serve > content in those zones. > It would be better if the

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-15 22:49 GMT+02:00 Matthias Clasen : (firewalld features) > So, what you have currently is a raw bit of infrastructure that is > directly exposed to the end user, without any design or integration. > That's *precisely* what the underlying infrastructure should do, isn't it? It's up to the

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-15 18:13 GMT+02:00 Andrew Lutomirski : > > Example: user installs software X... but oops, they didn't realize it > > was going to listen on port Y but that's okay, because no firewall > > rule has been enabled to allow traffic on port Y, so the user is > > secure. > > This sounds like

Re: F21 System Wide Change: Workstation: Disable firewall

Hello, Just some clarifications so that we are all on the same page; those don't significantly affect the larger discussion though... 2014-04-15 17:40 GMT+02:00 Andrew Lutomirski : > Can someone explain what threat is effectively mitigated by a firewall > on a workstation machine? Here are some

Re: F21 System Wide Change: Workstation: Disable firewall

2014-04-15 15:59 GMT+02:00 Michael Catanzaro : > On Tue, 2014-04-15 at 14:35 +0200, Zbigniew Jędrzejewski-Szmek wrote: > > What needs to be done to improve the firewall integration? > > > > Zbyszek > > The rule in the Workstation technical spec is: "A firewall in its > default configuration may no

Re: F21 System Wide Change: Workstation: Disable firewall

On Thu, 2014-04-17 at 12:26 -0400, Paul Wouters wrote: > For DNS issues we have similar issues. A sane default seems to be that > if you plugin a cable or you enter wifi WPA(2) details, you are > trusting the network you are connecting to per default. (with NM > override options for corner cases li

Re: F21 System Wide Change: Workstation: Disable firewall

Am 17.04.2014 18:26, schrieb Paul Wouters: > On Thu, 17 Apr 2014, Daniel J Walsh wrote: > >> Didn't mean to accuse you of saying that. I do like the idea of asking >> if you are on a "trusted" network. > > For DNS issues we have similar issues. A sane default seems to be that > if you plugin a c

Re: F21 System Wide Change: Workstation: Disable firewall

On Thu, 17 Apr 2014, Daniel J Walsh wrote: Didn't mean to accuse you of saying that. I do like the idea of asking if you are on a "trusted" network. For DNS issues we have similar issues. A sane default seems to be that if you plugin a cable or you enter wifi WPA(2) details, you are trusting

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 09:32 AM, Simo Sorce wrote: > On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: >> On 04/15/2014 09:31 AM, Simo Sorce wrote: >>> On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: I keep thinking that, if I had unlimited time, I'd write a totally different k

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 01:11 AM, William Brown wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different "zones" that the user can configure and associate to networks, with the default being that you t

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 6:55 PM, Lars Seipel wrote: > On Tue, Apr 15, 2014 at 08:14:01PM -0400, Christopher wrote: >> > Perhaps shorten to: >> > >> > block >> > public >> > work >> > home >> >> That is a much more intuitive default set. > > Is it? What's supposed to be the difference between work

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 3:58 PM, Matthew Miller wrote: > On Thu, Apr 17, 2014 at 12:55:31AM +0200, Lars Seipel wrote: >> > > Perhaps shorten to: >> > > block >> > > public >> > > work >> > > home >> > That is a much more intuitive default set. >> Is it? What's supposed to be the difference between

Re: F21 System Wide Change: Workstation: Disable firewall

On Thu, Apr 17, 2014 at 12:55:31AM +0200, Lars Seipel wrote: > > > Perhaps shorten to: > > > block > > > public > > > work > > > home > > That is a much more intuitive default set. > Is it? What's supposed to be the difference between work and home? I don't know if it's intuitive or not, but I can

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, Apr 15, 2014 at 08:14:01PM -0400, Christopher wrote: > > Perhaps shorten to: > > > > block > > public > > work > > home > > That is a much more intuitive default set. Is it? What's supposed to be the difference between work and home? Lars -- devel mailing list devel@lists.fedoraproject.o

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 06:56:21PM +0200, Thomas Woerner wrote: > > – for any IPv4 incoming connection, this interface is in ”trusted” > > (”home”? > > I never know what home/work/dmz/etc really mean) > You can full customize all zones. This is the reason there is no > simple description for

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 06:43 PM, Tomasz Torcz wrote: On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: I think what you are describing could be probably realized with SELinux today, just with a special setroubleshoot frontend that catches the AVC when the service tries to listen and ask the use

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 12:43 PM, Tomasz Torcz wrote: > On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: >> > > I think what you are describing could be probably realized with SELinux >> > > today, just with a special setroubleshoot frontend that catches the AVC >> > > when the service

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, 2014-04-16 at 18:43 +0200, Tomasz Torcz wrote: > On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: > > > > I think what you are describing could be probably realized with SELinux > > > > today, just with a special setroubleshoot frontend that catches the AVC > > > > when the servi

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 12:39 PM, Simo Sorce wrote: > On Wed, 2014-04-16 at 08:28 -0400, Josh Boyer wrote: >> A reduced set of zones firewall rules and proper integration in >> whatever implementation is chosen would seem to be the middle ground >> here. I like the middle ground. Maybe we cou

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 12:32:02PM -0400, Simo Sorce wrote: > > > I think what you are describing could be probably realized with SELinux > > > today, just with a special setroubleshoot frontend that catches the AVC > > > when the service tries to listen and ask the user if he wants to allow > > >

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, 2014-04-16 at 08:28 -0400, Josh Boyer wrote: > On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone wrote: > > On 16 April 2014 00:11, William Brown wrote: > >> On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: > > > >>> I don't think we want a 'firewall' UI anyway; the firewall is not > >

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, 2014-04-16 at 05:40 -0700, Daniel J Walsh wrote: > On 04/15/2014 09:31 AM, Simo Sorce wrote: > > On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: > >> I keep thinking that, if I had unlimited time, I'd write a totally > >> different kind of firewall. It would allow some policy (

Re: F21 System Wide Change: Workstation: Disable firewall

On 16.04.2014 14:40, Daniel J Walsh wrote: > Nothing worse then asking Users Security related questions about opening > firewall ports. > Users will just answer yes, whether or not they are being hacked. > > firefox wants to listen on port 9900 in order to see this page, OK? > > %99.999 will ans

Re: F21 System Wide Change: Workstation: Disable firewall

On 16.04.2014 12:31, Thomas Woerner wrote: > On 04/15/2014 10:49 PM, Matthias Clasen wrote: >> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: >> What you need is clearly different "zones" that the user can configure and associate to networks, with the default being that you

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 12:40 PM, Daniel J Walsh wrote: But there would need to be a provable way to guarantee that only the XYZ application is able to open those ports. Same way there needs to be provable way for end users to guarantee they aren't receiving false positive selinux alerts to begin with.

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 8:59 AM, Thomas Woerner wrote: > On 04/16/2014 02:28 PM, Josh Boyer wrote: >> >> On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone wrote: >>> >>> On 16 April 2014 00:11, William Brown wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: >>> >>> > I don

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 02:28 PM, Josh Boyer wrote: On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone wrote: On 16 April 2014 00:11, William Brown wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: I don't think we want a 'firewall' UI anyway; the firewall is not something most users can or

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/15/2014 09:31 AM, Simo Sorce wrote: > On Tue, 2014-04-15 at 09:13 -0700, Andrew Lutomirski wrote: >> I keep thinking that, if I had unlimited time, I'd write a totally >> different kind of firewall. It would allow some policy (userspace >> daemon or rules loaded into the kernel) to determin

Re: F21 System Wide Change: Workstation: Disable firewall

On Wed, Apr 16, 2014 at 7:11 AM, Ian Malone wrote: > On 16 April 2014 00:11, William Brown wrote: >> On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: > >>> I don't think we want a 'firewall' UI anyway; the firewall is not >>> something most users can or should understand and make decisio

Re: F21 System Wide Change: Workstation: Disable firewall

On 16 April 2014 00:11, William Brown wrote: > On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: >> I don't think we want a 'firewall' UI anyway; the firewall is not >> something most users can or should understand and make decisions of. > > Never take decisions away from users. > > The O

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 02:18 AM, Chuck Anderson wrote: On Tue, Apr 15, 2014 at 07:28:35PM -0400, Simo Sorce wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: You have connected to an new network. If this is a public network, you may want to stop sharing your Music and disable Remote Logi

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/16/2014 01:11 AM, William Brown wrote: On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different "zones" that the user can configure and associate to networks, with the default being that you tru

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/15/2014 10:49 PM, Matthias Clasen wrote: On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: What you need is clearly different "zones" that the user can configure and associate to networks, with the default being that you trust nothing and everything is firewalled when you roam a n

Re: F21 System Wide Change: Workstation: Disable firewall

On 04/15/2014 09:14 PM, Michael Cronenworth wrote: Christian Schaller wrote: We already allow that and have for a long while. Any application bothering to support the firewalld dbus interface can open any port they wish to. Good luck getting software to add this. A more sensible option would

Re: F21 System Wide Change: Workstation: Disable firewall

The scenario is scary, too many proposals/changes with negative connotations. Have we been breached... -- vikram... ^^'^^||root||^^^'''^^ // \\ )) //(( \\// \\ // /\\ || \\ || / )) ((\\ -- Our missions are peaceful --

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, Apr 15, 2014 at 08:03:16PM +0200, Andreas Tunek wrote: > I just want to say that I really support this feature. I do not see > any point in a firewall for a "Workstation". > > BTW, while we are on the subject, does anyone know how to actually > disable the firewall in Fedora 20? I haven't

Re: F21 System Wide Change: Workstation: Disable firewall

On 4/15/14, Michael Catanzaro wrote: > On Tue, 2014-04-15 at 20:31 +0200, Alec Leamas wrote: >> Anyway, I get the feeling that the hunt for the "really proper" fix is >> not that fruitful here. OTOH, if you limit the goals to fulfill the >> basic statement to not let the default configuration of f

Re: F21 System Wide Change: Workstation: Disable firewall

On 4-15-14 11:55:17 Reindl Harald wrote: > short ago it was proposed "drop tcpwrapper from the distribution > because there is a firewall and we should rely on a sinle layer of > defense" followed directly by "oh and now let us disable that > security layer in a default install" +1 -- Garry T. W

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, Apr 15, 2014 at 07:28:35PM -0400, Simo Sorce wrote: > On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: > > > > You have connected to an new network. If this is a public network, you > > may want to stop sharing your Music and disable Remote Logins. > > [Turn off sharing] [Continue

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, Apr 15, 2014 at 7:11 PM, William Brown wrote: > On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: >> On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: >> >> > > >> > > What you need is clearly different "zones" that the user can configure >> > > and associate to networks, wi

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: > > You have connected to an new network. If this is a public network, you > may want to stop sharing your Music and disable Remote Logins. > [Turn off sharing] [Continue sharing] [Sharing Preferences...] So if you have 4 different service

Re: F21 System Wide Change: Workstation: Disable firewall

On Tue, 2014-04-15 at 13:49 -0700, Matthias Clasen wrote: > On Tue, 2014-04-15 at 20:41 +0200, Thomas Woerner wrote: > > > > > > > What you need is clearly different "zones" that the user can configure > > > and associate to networks, with the default being that you trust nothing > > > and everyth

  1   2   >