Bug 425656

Summary: Prompt the user to classify every new network connected to as "trusted/home/work" or "public/insecure" when using a zone-based firewall
Product: [Plasma] plasmashell Reporter: Nate Graham <nate>
Component: Networking in generalAssignee: Jan Grulich <jgrulich>
Status: CONFIRMED ---    
Severity: wishlist CC: iucar, ngompa13, postix
Priority: NOR    
Version First Reported In: master   
Target Milestone: 1.0   
Platform: Other   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Nate Graham 2020-08-21 22:51:22 UTC 
Right now, you need to manually associate every network you connect to with a firewall zone or else various things in various distros don't work because of firewalls. This requires that you are aware that this stuff exists, know how to do it, and know which zone to assign your network to.

1. By default, classify every new network the user connects to as in the "public" firewall zone

2. When the user connects to a new network, ask them in a sticky notification whether the network they've just connected to is considered trusted or not. If they confirm this, mark the network as in the appropriate firewallgroup. Maybe internal? or home? trusted? Or all three? Can we do that?
Comment 1 2wxsy58236r3 2020-08-22 08:09:48 UTC 
Not all users are using `firewalld` (e.g. some use `ufw`), which means tagging firewall zones for a connection has no effect for them.
Therefore, if this feature is implemented, I hope there is a config to disable the sticky notification (and leave the `connection.zone` parameter unset).
Comment 2 Nate Graham 2020-08-22 16:06:08 UTC 
Perhaps the system could detect which one is in use (if any) and act appropriately. The plasma-nm KCM already has a GUI for choosing zones so I was assuming this was a universal thing, as I don't know much about Linux firewall options. Does ufw not have a concept of zones? Is there any equivalent?
Comment 3 2wxsy58236r3 2020-08-23 01:08:35 UTC 
To the best of my knowledge:
* ufw does not have a concept of zones.
* Ubuntu's default firewall configuration tool is ufw, although you need to manually turn it on. [1]
* For distributions like Arch Linux, there is no default firewall configuration tool. You can configure the rules directly with iptables, or install a front-end that you like (e.g. shorewall).
* From [2] and [3], if firewalld is not available, the input field (drop-down list) will be disabled.

[1] https://help.ubuntu.com/community/UFW
[2] https://gitlab.gnome.org/GNOME/network-manager-applet/-/blob/master/src/connection-editor/page-general.c
[3] https://askubuntu.com/questions/406073/how-do-i-enable-firewall-zones-for-networkmanager
Comment 4 Nate Graham 2020-08-23 02:42:18 UTC 
Thanks, that makes sense. So I guess my idea here should only apply when using a system with a zone-based firewall.
Comment 5 Neal Gompa 2024-10-04 13:25:46 UTC 
*** Bug 411359 has been marked as a duplicate of this bug. ***
Comment 6 Neal Gompa 2024-10-04 13:27:08 UTC 
This is absolutely a problem, and it came up again in light of the recent CUPS vulnerability. If we had this functionality in place, distributions that have cups-browsed active by default (like Ubuntu distributions) would have an out-of-box mitigation in place for less secure locations. Once this functionality exists, we could start recommending that KDE distributors preload a zone-based firewall (e.g. FirewallD) and have this all set up.

But we also need bug 434954 resolved too for this to be truly useful.
Comment 7 Ben Cooksley 2024-12-23 18:23:47 UTC 
Bulk transfer as requested in T17796