On Tue, 2014-12-09 at 07:27 +0100, Kevin Kofler wrote:
Stephen Gallagher wrote:
> Also, while I think it's been unclear in this thread, the main reason
> that the firewall GUI was taken out was because the Workstation guys
> want to design a more user-understandable one and include that directly
> (if I am remembering that conversation correctly). The current one is
> not terribly easy to understand (though it's certainly an improvement
> over s-c-firewall).
Huh? Especially the last part really makes me go "huh?". System-config-
firewall is dead simple to use: I want service S to work, I check the box
for service S if it's one of the common ones, or pick service S from the
full /etc/services list if it's an uncommon one, or enter its port manually
if it's some nonstandard service listening on an arbitrary port. I don't see
how the UI can be any simpler.
firewall-config is only complicated because firewalld is overly complex.
I'm a little puzzled that you decided to nitpick this one statement
which was poorly phrased and ignore the rest of my email, but okay I'll
bite. I meant to say that firewall-config is in general much improved
over s-c-firewall, not that it was easy to understand.
s-c-firewall only allowed *exactly* what you described above and left
you to manually configure the firewall with the CLI if you needed
anything more complicated than "open this port on all interfaces". With
firewall-config, it's possible to set up fairly common firewall
configurations like:
* Port forward between two interfaces, which is really useful with
virtualizationFedoraWorkstation (default, active)
interfaces: em1 virbr0 virbr0-nic wlp4s0
sources:
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client
ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
* Open this SMB port on these two multipath interfaces but not on this
public interface or the management plane.
And so on. And is firewalld overly complex? Sure. Firewalls *are*
complex. Having used both firewall-cmd and iptables extensively over the
years, I'd pick firewall-cmd any day. It's far easier to remember
firewall-cmd --add-port=80/tcp
than it is to remember
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
(which I just had to Google to make sure I got it right, which I
hadn't...). So for the really simple cases that s-c-firewall used to
handle, it's still pretty darn easy. Moreover, it's *significantly*
easier to see (and understand) the current firewall state on your
system:
firewall-cmd --list-all[-zones]
On my system, this results in:
FedoraWorkstation (default, active)
interfaces: em1 virbr0 virbr0-nic wlp4s0
sources:
services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client
ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
(and yes, you may notice that I've elected to close the ports >1024 that
are open by default in the Fedora Workstation zone, because I'm
overly-paranoid and because I occasionally use non-Fedora software that
I cannot fully trust not to open ports without me checking on it)
Anyway, this post has admittedly gotten a bit rambling and off-topic, so
I'll end it here.