Bug 425656 - Prompt the user to classify every new network connected to as "trusted/home/work" or "public/insecure" when using a zone-based firewall
Summary: Prompt the user to classify every new network connected to as "trusted/home/w...
Status: CONFIRMED
Alias: None
Product: plasmashell
Classification: Plasma
Component: Networking in general (show other bugs)
Version: master
Platform: Other Linux
: NOR wishlist
Target Milestone: 1.0
Assignee: Jan Grulich
URL:
Keywords:
: 411359 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-08-21 22:51 UTC by Nate Graham
Modified: 2024-12-23 18:23 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Nate Graham 2020-08-21 22:51:22 UTC 
Right now, you need to manually associate every network you connect to with a firewall zone or else various things in various distros don't work because of firewalls. This requires that you are aware that this stuff exists, know how to do it, and know which zone to assign your network to.

1. By default, classify every new network the user connects to as in the "public" firewall zone

2. When the user connects to a new network, ask them in a sticky notification whether the network they've just connected to is considered trusted or not. If they confirm this, mark the network as in the appropriate firewallgroup. Maybe internal? or home? trusted? Or all three? Can we do that?
Comment 1 2wxsy58236r3 2020-08-22 08:09:48 UTC 
Not all users are using `firewalld` (e.g. some use `ufw`), which means tagging firewall zones for a connection has no effect for them.
Therefore, if this feature is implemented, I hope there is a config to disable the sticky notification (and leave the `connection.zone` parameter unset).
Comment 2 Nate Graham 2020-08-22 16:06:08 UTC 
Perhaps the system could detect which one is in use (if any) and act appropriately. The plasma-nm KCM already has a GUI for choosing zones so I was assuming this was a universal thing, as I don't know much about Linux firewall options. Does ufw not have a concept of zones? Is there any equivalent?
Comment 3 2wxsy58236r3 2020-08-23 01:08:35 UTC 
To the best of my knowledge:
* ufw does not have a concept of zones.
* Ubuntu's default firewall configuration tool is ufw, although you need to manually turn it on. [1]
* For distributions like Arch Linux, there is no default firewall configuration tool. You can configure the rules directly with iptables, or install a front-end that you like (e.g. shorewall).
* From [2] and [3], if firewalld is not available, the input field (drop-down list) will be disabled.

[1] https://help.ubuntu.com/community/UFW
[2] https://gitlab.gnome.org/GNOME/network-manager-applet/-/blob/master/src/connection-editor/page-general.c
[3] https://askubuntu.com/questions/406073/how-do-i-enable-firewall-zones-for-networkmanager
Comment 4 Nate Graham 2020-08-23 02:42:18 UTC 
Thanks, that makes sense. So I guess my idea here should only apply when using a system with a zone-based firewall.
Comment 5 Neal Gompa 2024-10-04 13:25:46 UTC 
*** Bug 411359 has been marked as a duplicate of this bug. ***
Comment 6 Neal Gompa 2024-10-04 13:27:08 UTC 
This is absolutely a problem, and it came up again in light of the recent CUPS vulnerability. If we had this functionality in place, distributions that have cups-browsed active by default (like Ubuntu distributions) would have an out-of-box mitigation in place for less secure locations. Once this functionality exists, we could start recommending that KDE distributors preload a zone-based firewall (e.g. FirewallD) and have this all set up.

But we also need bug 434954 resolved too for this to be truly useful.
Comment 7 Ben Cooksley 2024-12-23 18:23:47 UTC 
Bulk transfer as requested in T17796