Vincent Untz wrote:
And while I haven't thought about firewall security in a while, the first example I come with when talking about trusted zones is connecting to WiFi at a university. Is this trusted or not? It might need to be trusted to allow printing documents and most people would trust it, and yet there are hundreds of individuals on this network, including some who might abuse your trust.
What are you trying to protect against by running a firewall anyways? We always had the policy not run "unneeded" services by default. So cups and avahi are the only ones left. Both will hopefully be (local) socket activated in the future so they are only started if a local process actually requires their service, ie no ports open to the world by default at all anymore then.
My question is really: do we plan to integrate firewalld, or something similar, that would improve user-friendliness? This "something similar" could be based on zones -- even if I don't believe it's a better approach, at least, for users, it's an improvement compared to what we have today. I'd just like us to have a solution in the near future (12.1 if we can have fast action, 12.2 otherwise).
I don't know who 'we' refers to. I for one don't have plans to reimplement SuSEfirewall2 as DBus service. I also don't think that a dumbed down packet filter for the desktop gains us anything except for update problems (btdt). What I've read about firewalld so far isn't rocket science though and some features could be implemented on top of SuSEfirewall2 if really needed. The firewalld author also seems to think in the direction of a zone model similar to SuSEfirewall2 the hooks he needs in NM would serve SuSEfirewall2 (or rather fwzs on top of it) too. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org