On Thu, Apr 17, 2014 at 3:40 PM, Thomas Woerner <twoerner(a)redhat.com> wrote:
On 02/19/2014 06:57 PM, Lennart Poettering wrote:
>
> On Wed, 19.02.14 12:40, Bastien Nocera (bnocera(a)redhat.com) wrote:
>
>>
>>
>> ----- Original Message -----
>>>
>>> Hi,
>>> I ended up calling the firewalld maintainer to understand the state of
>>> things
>>> and there is this concept in firewalld called zones that we should be
>>> able to
>>> use to create a better user experience, yet at the same time keep the
>>> firewall
>>> working when people connect with their laptop at an internet cafe for
>>> instance.
>>
>>
>> Right. But firewalld can't a Fedora-only solution, otherwise no
>> application developer
>> will want to integrate with it.
>>
>> We'd also need designs based around that, and see if firewalld is indeed
>> the right
>> technical solution.
>>
>> Right now, we don't even know whether a firewall is required, or it's
>> just a
>> work-around for applications that aren't integrated.
>
>
> I fully agree with Bastien here. I don't think a firewall brings any
> benefit on th desktop, and particularly not in the implementation of
> firewalld. There are better ways to make sure the local system is not
> vulnerable, and in its current state firewalld just creates problems and
> slows down the boot immensly (it's the number 1 slowest component on
> Fedora, right now.)
>
I will not reply to your personal opinion. But "firewalld is the number 1
slowest component on Fedora, right now."?
See below:
I just did a fresh F-20 gnome installation and applied all updates. After 3
boots I used systemd-analyze and systemd-analyze blame:
F-20 x86_64 virt guest (after 2 boots):
Startup finished in 528ms (kernel) + 1.027s (initrd) + 4.208s (userspace) =
5.765s
2.091s plymouth-quit-wait.service
1.373s firewalld.service
878ms accounts-daemon.service
833ms libvirtd.service
687ms rtkit-daemon.service
615ms avahi-daemon.service
544ms ModemManager.service
470ms chronyd.service
456ms systemd-logind.service
After disabling firewalld (and two boots):
Startup finished in 520ms (kernel) + 996ms (initrd) + 3.948s (userspace) =
5.465s
1.855s plymouth-quit-wait.service
1.145s libvirtd.service
867ms accounts-daemon.service
826ms NetworkManager.service
670ms rtkit-daemon.service
611ms avahi-daemon.service
535ms ModemManager.service
459ms systemd-logind.service
431ms plymouth-start.service
After uninstalling firewalld (and two boots):
Startup finished in 528ms (kernel) + 1.029s (initrd) + 3.944s (userspace) =
5.502s
1.536s plymouth-quit-wait.service
1.230s accounts-daemon.service
1.190s NetworkManager.service
1.089s rtkit-daemon.service
1.053s avahi-daemon.service
975ms ModemManager.service
955ms systemd-logind.service
855ms chronyd.service
709ms libvirtd.service
systemd-analyze was used to produce this initially after 3 boots and after 2
boots after each change.
firewalld is not the "number 1 slowest component on Fedora, right now.", but
it is plymouth-quit-wait.
No it just waits for other services to finish (as you have seen it
went down without firewalld).
As you can see, the userspace time varies by about 0.3s after
disabling and
also uninstalling firewalld!
Taking into account that only firewalld changed in these the output of
"systemd-analyze blame" is very unexpected. The start times of other
services increased by 40 to 50% after firewalld is not started and not
available anymore.
Because things run in parallel.
I can only measure a difference of about 0.3s in boot time with and
without
firewalld.
I wouldn't classify "0.3 seconds" as "only" but yeah that's
the
difference on your system.