Revision as of 13:58, 8 August 2011

Network Zones

Summary

The purpose of this feature request is to be able to classify network connections according to their trust level. A public WIFI network connection for example should be untrusted, a wired home network connection should be fairly trusted.

Please also have a look at these additional features:

https://fedoraproject.org/wiki/Features/network-zones
https://fedoraproject.org/wiki/Features/firewalld-rewrite (postponed for Fedora-17)

Owner

Name: Thomas Woerner
email: twoerner@redhat.com

Current status

Targeted release: Fedora 16
Last updated: 2011-06-27
Percentage of completion: 0%

Detailed Description

A network zone describes the trust level of a network connection. Important here is that there is a big difference between a network connection and a network interface. A network interface can be used for many different connections, but a connection is most likely bound to a special network interface.

Currently network connections are unclassified. The user or administrator can not set the trust level of a connection. Additionally the netfilter based firewall in Linux does not know anything about connections - it can only handle network interfaces.

The current firewall solution in Fedora is static and can not enable firewall features for special connections. Either all interfaces are handled in the same way or the user or administrator has to write a complex firewall setup on his own.

The initial network zones:

trusted	Fully trusted connections. All incoming traffic is allowed.
home	Partly trusted connections. User/administrator defines the the open services.
work
public	Mostly untrusted connections. User/administrator defines the the open services.
block	Fully untrusted connections. No incoming traffic is allowed.

Benefit to Fedora

The classification of network connections will make it possible to have different firewall configurations for different connections. For example a public WIFI connection should be fairly untrusted and there should at best be no accessible service. The home connection on the other hand should be fairly or fully trusted.

If services are running on a machine, these are only visible for connections that are trusted or that are part of zones, that allow the external access. Having several connections at a time with different trust zones is also possible.

Scope

Changes to NetworkManager and the D-BUS interface are needed for this. Altogether with extensions of the NM UIs.

How To Test

Install NetworkManager packages with the feature enabled.
Set and reset zones for connections.
D-BUS messages are generated with information of the connection, interface and zone.

User Experience

The user can set the trust level of connections ans also the default zone for new connections.

Dependencies

firewalld (changes in the works)

Contingency Plan

Rebuild of NetworkManager or disabling the feature in the configuration should be enough.

Documentation

See https://fedoraproject.org/wiki/FirewallD/

The fedorahosted site is here: https://fedorahosted.org/firewalld/

Release Notes

Fedora 16 adds support for the network zones model that provides a way to classify network connections according to their trust level.