From Fedora Project Wiki

No edit summary
(Add about decided firewall solution)
 
(One intermediate revision by the same user not shown)
Line 4: Line 4:
* is there a some kind of cooperation between you and Firewalld guys?
* is there a some kind of cooperation between you and Firewalld guys?
** I've forwarded this to Tomas Woerner, but haven't heard back. Once we do have a dynamic firewall by default (so so that when services start then the firewall is opened, according to policy) then we can migrate the avahi service to use the dynamic firewall. [[User:Stefw|Stefw]] 13:40, 16 July 2012 (UTC)
** I've forwarded this to Tomas Woerner, but haven't heard back. Once we do have a dynamic firewall by default (so so that when services start then the firewall is opened, according to policy) then we can migrate the avahi service to use the dynamic firewall. [[User:Stefw|Stefw]] 13:40, 16 July 2012 (UTC)
** Discussed a lot with Thomas and Mitr, and came up with the solution below. [[User:Stefw|Stefw]] ([[User talk:Stefw|talk]]) 12:19, 6 August 2012 (UTC)
* do you think it makes sense to extend this feature to cover also the rest of Fedora desktops?
* do you think it makes sense to extend this feature to cover also the rest of Fedora desktops?
** Yes, it makes sense for the other spins if they use Avahi from the desktop and need it working out of the box. [[User:Stefw|Stefw]] 13:40, 16 July 2012 (UTC)
** Yes, it makes sense for the other spins if they use Avahi from the desktop and need it working out of the box. [[User:Stefw|Stefw]] 13:40, 16 July 2012 (UTC)
Line 9: Line 10:
** Discussed that with Thomas Woerner, avahi startup would open the firewall (as long as policy allows it) when starting avahi, and then close it when stopping the avahi service.
** Discussed that with Thomas Woerner, avahi startup would open the firewall (as long as policy allows it) when starting avahi, and then close it when stopping the avahi service.
*** '''Please''' just set the port as open, let's not start the "application opens port for itself" game.  It adds almost no security, and only makes the system more complex. --[[User:Mitr|Mitr]] 17:50, 23 July 2012 (UTC)
*** '''Please''' just set the port as open, let's not start the "application opens port for itself" game.  It adds almost no security, and only makes the system more complex. --[[User:Mitr|Mitr]] 17:50, 23 July 2012 (UTC)
**** Alright. After discussion (and seeing the future proposed SELinux systemd integration feature), this makes sense.
** So to summarize, we are having mdns open in all but the most restrictive firewalld zones. This fits in with Mitr's concerns and is similar in principle to other ports open in firewalld. Discussed and agreed with Thomas (author of firewalld). [https://fedorahosted.org/firewalld/ticket/1] [[User:Stefw|Stefw]] ([[User talk:Stefw|talk]]) 12:19, 6 August 2012 (UTC)

Latest revision as of 12:19, 6 August 2012

Comments

  • please provide Release Notes section for this Feature (it does not have to be the final one but it would be good to have at least some draft there)
    • Good point. Done. Stefw 13:40, 16 July 2012 (UTC)
  • is there a some kind of cooperation between you and Firewalld guys?
    • I've forwarded this to Tomas Woerner, but haven't heard back. Once we do have a dynamic firewall by default (so so that when services start then the firewall is opened, according to policy) then we can migrate the avahi service to use the dynamic firewall. Stefw 13:40, 16 July 2012 (UTC)
    • Discussed a lot with Thomas and Mitr, and came up with the solution below. Stefw (talk) 12:19, 6 August 2012 (UTC)
  • do you think it makes sense to extend this feature to cover also the rest of Fedora desktops?
    • Yes, it makes sense for the other spins if they use Avahi from the desktop and need it working out of the box. Stefw 13:40, 16 July 2012 (UTC)
  • What exactly are you intending to change and how? If this is mainly about the default firewall settings, shouldn't the firewall just trust Avahi by default, rather than implementing this per spin? --Kkofler 16:07, 17 July 2012 (UTC)
    • Discussed that with Thomas Woerner, avahi startup would open the firewall (as long as policy allows it) when starting avahi, and then close it when stopping the avahi service.
      • Please just set the port as open, let's not start the "application opens port for itself" game. It adds almost no security, and only makes the system more complex. --Mitr 17:50, 23 July 2012 (UTC)
        • Alright. After discussion (and seeing the future proposed SELinux systemd integration feature), this makes sense.
    • So to summarize, we are having mdns open in all but the most restrictive firewalld zones. This fits in with Mitr's concerns and is similar in principle to other ports open in firewalld. Discussed and agreed with Thomas (author of firewalld). [1] Stefw (talk) 12:19, 6 August 2012 (UTC)