From Fedora Project Wiki
(Created page with "= Network Zones = == Summary == The purpose of this feature request is to be able to classify network connections according to their trust level. A public WIFI network connecti...")
 
 
(16 intermediate revisions by 3 users not shown)
Line 5: Line 5:
The purpose of this feature request is to be able to classify network connections according to their trust level. A public WIFI network connection for example should be untrusted, a wired home network connection should be fairly trusted.  
The purpose of this feature request is to be able to classify network connections according to their trust level. A public WIFI network connection for example should be untrusted, a wired home network connection should be fairly trusted.  


Please also have a look at these additional features:
Please also have a look at this additional feature:


* [https://fedoraproject.org/wiki/Features/firewalld-rewrite https://fedoraproject.org/wiki/Features/firewalld-rewrite]
* [[Features/firewalld-default]]
* [https://fedoraproject.org/wiki/Features/network-zones https://fedoraproject.org/wiki/Features/network-zones]


== Owner ==
== Owner ==
Line 17: Line 16:
== Current status ==
== Current status ==


* Targeted release: [[Releases/16|Fedora 16]]  
* Targeted release: [[Releases/17|Fedora 17]]  
* Last updated: 2011-06-27
* Last updated: 2012-03-19
* Percentage of completion: 0%
* Percentage of completion: 100%


== Detailed Description ==
== Detailed Description ==
Line 32: Line 31:


{| border="0"
{| border="0"
|style="color:#00ff00;"| trusted
|style="background-color:#00FFaa;"| trusted
| Fully trusted connections. All incoming traffic is allowed.
|style="background-color:#00FFaa;"| Fully trusted connections. All incoming traffic is allowed.
|-
|-
| home
|style="background-color:#aaFFaa;"| home
|rowspan="2"| Partly trusted connections. User/administrator defines the the open services.
|style="background-color:#aaFFaa;" rowspan="3"| Partly trusted connections. User/administrator defines the the open services.
|-
|-
| work
|style="background-color:#aaFFaa;"| work
|-
|-
| public
|style="background-color:#aaFFaa;"| internal
| Mostly untrusted connections. User/administrator defines the the open services.
|-
|style="background-color:#FFFFaa;"| dmz
|style="background-color:#FFFFaa;"| Mostly untrusted connections, the demilitarized zone.
|-
|style="background-color:#FFFFaa;"| public
|style="background-color:#FFFFaa;" rowspan="2" | Mostly untrusted connections. User/administrator defines the the open services.
|-
|style="background-color:#FFFFaa;"| external
|-
|style="background-color:#FFaaaa;"| block
|style="background-color:#FFaaaa;"| Fully untrusted connections. No incoming traffic is allowed.
|-
|style="background-color:#FFaaaa;"| drop
|style="background-color:#FFaaaa;"| Fully untrusted connections. All packets are dropped immediately.
|-
|-
| block
| Fully untrusted connections. No incoming traffic is allowed.
|}
|}


== Benefit to Fedora ==
== Benefit to Fedora ==


<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?-->
The classification of network connections will make it possible to have different firewall configurations for different connections. For example a public WIFI connection should be fairly untrusted and there should at best be no accessible service. The home connection on the other hand should be fairly or fully trusted.
 
If services are running on a machine, these are only visible for connections that are trusted or that are part of zones, that allow the external access. Having several connections at a time with different trust zones is also possible.


== Scope ==
== Scope ==


<!-- What work do the developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
Changes to NetworkManager and the D-BUS interface are needed for this. Altogether with extensions of the NM UIs.


== How To Test ==
== How To Test ==


<!-- This does not need to be a full-fledged document.  Describe the dimensions of tests that this feature is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate them.  The more specific you can be, the better the community testing can be.  
* Install NetworkManager packages with the feature enabled.
 
* Set and reset zones for connections.
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.
* D-BUS messages are generated with information of the connection, interface and zone.
 
A good "how to test" should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this feature? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the feature is
working like it's supposed to?
3. What are the expected results of those actions?
-->


== User Experience ==
== User Experience ==


<!-- If this feature is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
The user can set the trust level of connections ans also the default zone for new connections.


== Dependencies ==
== Dependencies ==


<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this feature depends?  In other words, completion of another feature owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel feature)? -->
* firewalld (changes in the works)


== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "None necessary, revert to previous release behaviour."  Or it might not.  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. -->
Rebuild of NetworkManager or disabling the feature in the configuration should be enough.


== Documentation ==
== Documentation ==


<!-- Is there upstream documentation on this feature, or notes you have written yourself?  Link to that material here so other interested developers can get involved. -->
See [[FirewallD]]
*
 
The fedorahosted site is here: [https://fedorahosted.org/firewalld/ https://fedorahosted.org/firewalld/]


== Release Notes ==
== Release Notes ==


<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
Fedora 17 adds support for the network zones model that provides a way to classify network connections according to their trust level.
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this feature, indicate them here.  You can also link to upstream documentation if it satisfies this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release. -->
*
 
== Comments and Discussion ==
 
* See [[Talk:Features/YourFeatureName]]  <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->


The classification of network connections will make it possible to have different firewall configurations for different connections. For example a public WIFI connection should be fairly untrusted and there should at best be no accessible service. The home connection on the other hand should be fairly or fully trusted.


[[Category:FeaturePageIncomplete]]
[[Category:FeatureAcceptedF17]]
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->

Latest revision as of 19:54, 19 March 2012

Network Zones

Summary

The purpose of this feature request is to be able to classify network connections according to their trust level. A public WIFI network connection for example should be untrusted, a wired home network connection should be fairly trusted.

Please also have a look at this additional feature:

Owner

Current status

  • Targeted release: Fedora 17
  • Last updated: 2012-03-19
  • Percentage of completion: 100%

Detailed Description

A network zone describes the trust level of a network connection. Important here is that there is a big difference between a network connection and a network interface. A network interface can be used for many different connections, but a connection is most likely bound to a special network interface.

Currently network connections are unclassified. The user or administrator can not set the trust level of a connection. Additionally the netfilter based firewall in Linux does not know anything about connections - it can only handle network interfaces.

The current firewall solution in Fedora is static and can not enable firewall features for special connections. Either all interfaces are handled in the same way or the user or administrator has to write a complex firewall setup on his own.

The initial network zones:

trusted Fully trusted connections. All incoming traffic is allowed.
home Partly trusted connections. User/administrator defines the the open services.
work
internal
dmz Mostly untrusted connections, the demilitarized zone.
public Mostly untrusted connections. User/administrator defines the the open services.
external
block Fully untrusted connections. No incoming traffic is allowed.
drop Fully untrusted connections. All packets are dropped immediately.

Benefit to Fedora

The classification of network connections will make it possible to have different firewall configurations for different connections. For example a public WIFI connection should be fairly untrusted and there should at best be no accessible service. The home connection on the other hand should be fairly or fully trusted.

If services are running on a machine, these are only visible for connections that are trusted or that are part of zones, that allow the external access. Having several connections at a time with different trust zones is also possible.

Scope

Changes to NetworkManager and the D-BUS interface are needed for this. Altogether with extensions of the NM UIs.

How To Test

  • Install NetworkManager packages with the feature enabled.
  • Set and reset zones for connections.
  • D-BUS messages are generated with information of the connection, interface and zone.

User Experience

The user can set the trust level of connections ans also the default zone for new connections.

Dependencies

  • firewalld (changes in the works)

Contingency Plan

Rebuild of NetworkManager or disabling the feature in the configuration should be enough.

Documentation

See FirewallD

The fedorahosted site is here: https://fedorahosted.org/firewalld/

Release Notes

Fedora 17 adds support for the network zones model that provides a way to classify network connections according to their trust level.

The classification of network connections will make it possible to have different firewall configurations for different connections. For example a public WIFI connection should be fairly untrusted and there should at best be no accessible service. The home connection on the other hand should be fairly or fully trusted.

Retrieved from "https://fedoraproject.org/w/index.php?title=Features/network-zones&oldid=278418"