From Fedora Project Wiki

Revision as of 04:08, 4 April 2014 by Mclasen (talk | contribs)

Workstation: Disable firewall

Summary

The firewalld service will not be enabled by default in the workstation product.

Owner

  • Name: Matthias Clasen
  • Email: mclasen@redhat.com
  • Release notes owner:
  • Product: Workstation
  • Responsible WG: Workstation

Current status

  • Targeted release: Fedora 21
  • Last updated: 2014-04-03
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

The current level of integration into the desktop and applications does not justify enabling the firewalld service by default. Additionally, the set of zones that it offers is excessive and not user-friendly. Therefore, we will disable the firewall service while we are working on a more user-friendly way to deal with network-related privacy issues.

It will of course still be possible to enable the firewall manually.

Benefit to Fedora

The Workstation will boot faster, and the firewall will not interfere with sharing protocols such as DAAP, UPnP and others.

Scope

  • Proposal owners:
  • Other developers: Add a Workstation-specific service configuration (preset ?) to the firewalld package that disables firewalld for the Workstation product
  • Release engineering: No action required
  • Policies and guidelines: No action required

Upgrade/compatibility impact

Existing systems will keep their service configuration, including the enabled-by-default firewall.

How To Test

  1. Install the Workstation.
  2. Log in
  3. run systemctl status firewalld.service
  4. expected result: the service is not active

User Experience

Applications that are using sharing protocols such as DAAP or UPnP will work out of the box, without the need to tweak or disable the firewall service.

Dependencies

No dependencies.

Contingency Plan

  • Contingency mechanism: If the firewalld service can not be disabled, install a simplified set of firewall zones, ideally just 'Home', 'Public' and 'Unknown', and ensure that networks are placed into the 'Home' zone by default
  • Contingency deadline: F21 beta
  • Blocks release? No
  • Blocks product? Workstation

Documentation

This upstream bug discusses improved network privacy handling.

Release Notes

The firewalld service is not enabled by default for the Workstation product. To enable it, run systemctl enable firewalld.service.