Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Bastien Nocera <bnocera <at> redhat.com>
Subject: Re: Desktop and FirewallD
Newsgroups: gmane.linux.redhat.fedora.desktop
Date: Friday 6th June 2014 16:20:49 UTC (over 3 years ago)
----- Original Message -----
> Hi everyone,

> Plans for Fedora 21
> * The Desktop team will look into creating a UI that asks you when you
> connect to a new wireless network if you consider it trusted or not.
Exact
> wording of the question and look of dialog etc. will need to be worked
out.
> This setting will be remembered for that network. If user say trusted the
> zone used will be 'trusted', if not trusted then current default will be
> used. Should be simple enough to not confuse users, yet improve their
> security on public networks.
> * Other connection types will keep the current default which sucks a bit
for
> your home ethernet, but we don't currently have a good way to identify
your
> ethernet connection and popping up a dialog every time you connect is
> probably a worse user experience than having to google a bit.
> 
> Matthias started a prototype of this already here:
> https://bugzilla.gnome.org/show_bug.cgi?id=727580

The plan has changed slightly after discussions with designers (Allan in
particular)
and firewalld hackers (Miloslav Trmac and Thomas Woerner).

There were two main uses to the firewall:
- Security, this is to avoid particular services from ever being seen on
the network
  This also accounts for packaging errors which mean that unwanted services
are
  enabled when the package is installed, and listening on the network when
they shouldn't
  be, as noticed recently: https://fedorahosted.org/fesco/ticket/1310
- Privacy, avoid unwanted data about the user, or their setup from being
broadcast on the
  local network. That means my user name, my real name (!), the version of
my OS, etc.

I reviewed the default network services available on a stock Fedora
Workstation
installation[1], and we came up with the following plan.

1) Work with QE to setup a way to avoid security regressions, as the
rpcbind one,
   mentioned above. This will mean adding tests at the distro level.
Hopefully Tim Flink,
   CC:ed, can help me with creating those tests
2) Create a new firewalld zone for use by Workstation. This would block all
system
   services (port < 1024) except a few whitelisted ones (see Google
spreadsheet below),
   so as to mitigate #1
3) Add Network awareness to GNOME's controls of system-wide sharing. When
disconnecting
   from the network, or connecting to a new unknown network, we would
ensure that all
   sharing (we can control) is disabled. Each of the possible shared items
would be
   controlled independently for each network. This means that your music
would
   automatically be shared when at home, but disabled when at the coffee
shop.
   We'll also have a way for users to disable sharing that was previously
enabled, without
   that network being the current one. Subject to changes, here are some
mockups:
https://raw.githubusercontent.com/gnome-design-team/gnome-mockups/master/system-settings/sharing/sharing-panel.png
https://raw.githubusercontent.com/gnome-design-team/gnome-mockups/master/system-settings/sharing/media-sharing.png
   In the future this could be further controlled through application
sandboxing.

Some things that are currently outside of scope, and will need to be
documented:
- NFS client or server support. NFS 101 tells you to check the firewall
config,
  you'll still need to do that.
- Support for network printers enumeration when mDNS is disallowed on the
network
  (this opens up UDP port 631 on the local machine)

> Long term plans
> * Work with NetworkManager team to see if we can come up with a way to
> identify ethernet connections in a similar manner

This would still be useful:
https://bugzilla.gnome.org/show_bug.cgi?id=723084

Cheers

[1]: https://docs.google.com/spreadsheets/d/103SAK-7ch5wpGiCP3KF9CYlIhLQFTy9SSvBvBziWBZc/edit?usp=sharing
-- 
desktop mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/desktop
 
CD: 3ms