Announcement

Collapse
No announcement yet.

Firewalld 1.0 Released With Big Improvements

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by tomas View Post
    sdackWhat you are saying is essentially that an ordinary computer user can never have security because they are not willing to dig into frankly obscure low level details regarding the network traffic on their computer.
    Yes. And tools that give users the impression of security without the need to understand it, tend to lead to less security and not more.

    But to be clear. I am not advocating against firewalld. I am against the notion nftables was bad or useless and firewalld was superior. Anyone who believes this is trading abstraction for security and bound to get it wrong.

    Comment


    • #32
      Originally posted by jacob View Post
      Having a distro that installs firewalld securely is obviously the assumption here. In fact that's the whole reason why computers exist at all: to automate things so that people don't have to bother with them. You can certainly use firewalld without caring about nftables: you say "when at home I want to use bittorrent and share files using SMB, when at work that must be blocked". I takes about 3-4 clicks to do that and works reliably. Then you can care about productive things (used loosely, whether it's developing software, playing games, browsing the web or creating) rather than wasting time with the menial chores of admining your OS.
      Fine, but you have just made me laugh.

      Can you really use torrents and SMB on your laptop when you are at work? Does your company's network administration not block these? It seems odd to require users to block these protocols themselves.

      Comment


      • #33
        Originally posted by sdack View Post
        Fine, but you have just made me laugh.

        Can you really use torrents and SMB on your laptop when you are at work? Does your company's network administration not block these? It seems odd to require users to block these protocols themselves.
        Depends on the company of course. What I'm saying is that on a user friendly OS people should be able to say what they want, including wrt network traffic, in a human friendly high level way, without having to dive into the low level technicalities that are not relevant to most of the common use cases. Just like they drag and drop an icon to copy a file without having to care about disk blocks, IO controllers and DMA channels.

        Comment


        • #34
          Originally posted by jacob View Post
          Depends on the company of course. What I'm saying is that on a user friendly OS people should be able to say what they want, including wrt network traffic, in a human friendly high level way, without having to dive into the low level technicalities that are not relevant to most of the common use cases. Just like they drag and drop an icon to copy a file without having to care about disk blocks, IO controllers and DMA channels.
          Of course, I think we both can agree on this.

          But do know that you can use nftables to fully automate your setup so that you no longer need to switch manually. You can filter traffic based on the MAC addresses of the access points and only when you are at home allow for all sorts of traffic to pass, and be more restrictive everywhere else. You should be able to do this with firewalld, too.

          Comment


          • #35
            Originally posted by sdack View Post
            It is not that I would not see your point. You want to say that firewalld allows you to open ports whereas nftable would not. And you want to open ports not based on the actual traffic between hosts, but in a more vague and loose way, possibly in order to avoid having to bother with the details. Only the details are essential when you want to have security. nftables can certainly distinguish between access points, but the problem still remains: which hosts behind the access points can you actually trust and why? You can have nftables filter traffic based on the MAC addresses of the access points for example, but these can be faked just as the SSID of an access point can be faked. So just saying firewalld would allow you to do something that nftables would not, and that this would also make it more secure and not simply less, is not an answer.
            Incorrect. You're splitting hairs.

            When I'm using the home access point, I trust all hosts. It's not a technical question, I as a human simply trust all hosts that are connected to my home access point.
            When I'm using any other access point, I do not trust any hosts. It's as simple as that.

            Comment


            • #36
              Originally posted by sdack View Post
              Of course, I think we both can agree on this.

              But do know that you can use nftables to fully automate your setup so that you no longer need to switch manually. You can filter traffic based on the MAC addresses of the access points and only when you are at home allow for all sorts of traffic to pass, and be more restrictive everywhere else. You should be able to do this with firewalld, too.
              Well there you go. Much better argument. However — however — using MAC addresses of the access points is simply more tedious than using ESSIDs. Additionally, it's a wrong level of abstraction. Do I care if the actual access point hardware got replaced in my absence? Certainly not. If it's the same ESSID and the same PSK, then it's the same network as far as I'm concerned.

              Information about the ESSID is not available on the nftables layer, whereas it is available on the firewalld layer.

              Comment


              • #37
                Originally posted by intelfx View Post
                Incorrect. You're splitting hairs.
                No, not at all. Where you are wrong is to believe that trust was a replacement for security.

                You have probably never seen how one can hack into an access point. Home access points are notorious weak spots.

                Comment


                • #38
                  Originally posted by intelfx View Post
                  Do I care if the actual access point hardware got replaced in my absence? Certainly not. If it's the same ESSID and the same PSK, then it's the same network as far as I'm concerned.
                  You are a bit of an idiot. My reply was to jacob and his particular problem and not meant as a solution to your problem. SSID and password do get replaced now and then, and in particular passwords change frequently. So for jacob to reach full automation where he no longer needs to do any manual switching can he use MAC address filtering.

                  If your problem now is that your company switches their access points more often than their passwords then you certainly have a good reason not to trust their network. But if you trust your home network, not that I think it is much wiser, then you can still filter with the MAC address of your home access point, unless it too changes more often than the SSID and password.

                  Unless you are using a hidden SSID with a passive access point are you literally advertising your SSID to everyone in your area. One can find out the MAC addresses of APs, too, but this already requires a bit of knowledge. To use the SSID to build firewall rules really should make you cringe as it is the easiest ID one can fake.

                  And while MAC addresses can be fake, too, and regularly also get randomised, are MAC addresses still a great way of associating owners with their devices. Latest when people start sharing SSIDs and passwords to your WiFi networks do you need to enforce fixed MAC addresses, associate owners with their devices, and only allow devices with known MAC addresses onto your networks. If you then encounter a problem, like someone having a virus on their mobile phone, can you quickly identify the source, block it and let the person know they have a problem.
                  Last edited by sdack; 23 July 2021, 12:02 PM.

                  Comment


                  • #39
                    Originally posted by sdack View Post
                    No, not at all. Where you are wrong is to believe that trust was a replacement for security.

                    You have probably never seen how one can hack into an access point. Home access points are notorious weak spots.
                    It never was, and I never said that. There is no absolute security and every security system is based on trust at some level. A well-designed system will accomodate various levels of trust and thus various levels of security. As a home network user who needs a basic firewall on my PC, I don't care about someone hacking my access point, it's beyond my threat model.

                    You are splitting hairs, again.
                    Last edited by intelfx; 23 July 2021, 12:47 PM.

                    Comment


                    • #40
                      Originally posted by sdack View Post
                      You are a bit of an idiot. <...>
                      I stopped reading right here. Talking to you isn't worth my time anymore. Go insult someone else.

                      Comment

                      Working...
                      X