[RFE] Ask for network trustworthiness upon first connection
Currently, there's no good firewall configuration UI in the Linux ecosystem for non-power users, because there are concepts involved that are hard for them. That's why many desktop-oriented distros (e.g., Ubuntu, Fedora Workstation) decided to switch the firewall off by default to offer a better UX (i.e., sharing files and this kind of network services just work by default). Still, many consider this a security issue, because nowadays laptops connect to many public WiFi networks, not only at home, and no one wants to have open services in an airport or a café. This proposal is a trade-off between good UX and security by default.
The usual user flow goes like this: the user clicks in the network agent, the drop-down menu shows the available networks, the user clicks "connect" in a new network and is possibly prompted for a password. At that point, it would be great if (just once for each new connection) the network agent could
-
ask the user whether it's a private (and thus the user may want to share resources) or public network (and thus the user may prefer to stay safe), then
a) if the user says "private", then configure the connection in the "trusted" zone (could be configurable);
b) if the user says "public" or just ignores the question and closes the menu, then configure the connection in the "public" zone (or the default zone, could be configurable);
-
maybe show the info about the current zone in the connection details.
Note that 1) is something that Windows 10 already does very well (see the first screen capture at the beginnning of this article):
Do you want to allow your PC to be discoverable by other devices on this network?
We recommend allowing this on your home and work networks, but not public ones.
Yes / No
Note also that this private/public hint given by the user can be easily mapped to different firewalls: to FirewallD zones in Fedora or to ufw profiles in Ubuntu. Of course, more advanced users could always open the connection editor and change the zone, or even configure the firewall directly, but this could be a huge improvement for most users.