Hello,
----- Original Message -----
I'm maintaining a VPN server in fedora and I'm wondering
whether
I'd need to integrate firewalld to that. After reading the information
in
https://fedoraproject.org/wiki/FirewallD I don't think I'm sure what
I'm supposed to do.
I’d guess you only need to ensure a firewalld service
definition for the VPN server exists.
There are two issues:
1. Should my service turn on the firewall ports used by the server?
As far as I understand, in order for the service to work out of the box
I'd need to call firewall-cmd --port to enable the TCP and UDP ports
used by the server, possibly from the systemd unit file (are there any
hooks for that?).
A service manipulating the firewall for itself? Definitely not. Policy is for the
administrator to define; applications opening ports for themselves completely redundant to
calling bind(). (We can discuss whether it would be appropriate to ship with a
configuration that enables the service by default, but a very likely answer is “no”; we
don’t enable httpd by default, for example.)
2. What zone should the server put the clients they connect. Should
there be some special vpn zone or should I use one of the existing ones?
(none of the existing looks very reasonable for that).
How are the clients connected exactly? If the traffic looks like it arrives on a virtual
interface, a zone should be assigned to that interface, using the existing system-wide
configuration for that interface (/etc/sysconfig/network-scripts/ifcfg*) if at all
possible (this might require extra code I don’t know much about).
However, what is not apparent to me as a fedora packager is how is
that
supposed to be handled. Should the package handle any requirements by
firewalld (i.e., package is plug and play), or should the package defer
the administrator to configure firewalld separately (i.e., package is
installed but doesn't work by default).
Packages should defer to the
administrator. (Note that the F21 _Workstation_ product will ship with a different
default, and some Cloud images might have yet another. But in both cases the individual
packages are not supposed to care.)
I see that ssh and few other
services are enabled by default by firewalld configuration itself,
Those are the
exceptions from the general default of keeping services disabled.
Mirek