----- Original Message -----
> Hi everyone,
> Plans for Fedora 21
> * The Desktop team will look into creating a UI that asks you when you
> connect to a new wireless network if you consider it trusted or not.
> wording of the question and look of dialog etc. will need to be worked
> This setting will be remembered for that network. If user say trusted the
> zone used will be 'trusted', if not trusted then current default will be
> used. Should be simple enough to not confuse users, yet improve their
> security on public networks.
> * Other connection types will keep the current default which sucks a bit
> your home ethernet, but we don't currently have a good way to identify
> ethernet connection and popping up a dialog every time you connect is
> probably a worse user experience than having to google a bit.
> Matthias started a prototype of this already here:
The plan has changed slightly after discussions with designers (Allan in
and firewalld hackers (Miloslav Trmac and Thomas Woerner).
There were two main uses to the firewall:
- Security, this is to avoid particular services from ever being seen on
This also accounts for packaging errors which mean that unwanted services
enabled when the package is installed, and listening on the network when
be, as noticed recently: https://fedorahosted.org/fesco/ticket/1310
- Privacy, avoid unwanted data about the user, or their setup from being
broadcast on the
local network. That means my user name, my real name (!), the version of
my OS, etc.
I reviewed the default network services available on a stock Fedora
installation, and we came up with the following plan.
1) Work with QE to setup a way to avoid security regressions, as the
mentioned above. This will mean adding tests at the distro level.
Hopefully Tim Flink,
CC:ed, can help me with creating those tests
2) Create a new firewalld zone for use by Workstation. This would block all
services (port < 1024) except a few whitelisted ones (see Google
so as to mitigate #1
3) Add Network awareness to GNOME's controls of system-wide sharing. When
from the network, or connecting to a new unknown network, we would
ensure that all
sharing (we can control) is disabled. Each of the possible shared items
controlled independently for each network. This means that your music
automatically be shared when at home, but disabled when at the coffee
We'll also have a way for users to disable sharing that was previously
that network being the current one. Subject to changes, here are some
In the future this could be further controlled through application
Some things that are currently outside of scope, and will need to be
- NFS client or server support. NFS 101 tells you to check the firewall
you'll still need to do that.
- Support for network printers enumeration when mDNS is disallowed on the
(this opens up UDP port 631 on the local machine)
> Long term plans
> * Work with NetworkManager team to see if we can come up with a way to
> identify ethernet connections in a similar manner
This would still be useful:
desktop mailing list