Hi,
I'm using Fedora 17 (alpha) at the moment and was interested in testing out the firewalld. It works so far, but I still have a few questions and couldn't find much documentation (except for Developers).
*) Why should I change from ip*tables (with the system-config-firewall front-end) to firewalld as an end-user? So far it seems to me, that without a GUI (I wouldn't count the firewall-applet as a proper GUI) it is way harder to configure.
*) My home network consists of 2 laptops with fedora and one Macbook. I've placed my laptops into the 'home' zone. Now I wanted to share some files and used samba. I added the service, but next day it didn't work anymore. Do I really have to enable samba everytime I reboot the system with 'firewall-cmd --add --zone=home --service=samba'? How can I add a service permanently to a zone? Sorry if that's a stupid question but I couldn't find anything about that.
*) I really, really love the zone idea. I hope the firewall-config tool, that is mentioned in the Fedora Feature Page, will be in the repository soon.
*) The firewall-applet doesn't do much at the moment, does it? Shouldn't the .desktop file be hidden, so it doesn't show up in the Applications (that's more a package maintainer problem, I guess)?
Well, that's it for now. I will be using it for a while and report bugs if I stumble over one. So far no problems in standard usage (that means no network printer, just casual home-user).
dobu
Hello,
On 03/22/2012 01:45 PM, dobu wrote:
Hi,
I'm using Fedora 17 (alpha) at the moment and was interested in testing out the firewalld. It works so far, but I still have a few questions and couldn't find much documentation (except for Developers).
*) Why should I change from ip*tables (with the system-config-firewall front-end) to firewalld as an end-user? So far it seems to me, that without a GUI (I wouldn't count the firewall-applet as a proper GUI) it is way harder to configure.
system-config-firewall is more or less a static firewall. Any change to the firewall requires to recreate the firewall with restarting of the ip*tables services. This results in loss of connection tracking information and also connection break. Firewalld is providing a dynamic firewall service with a daemon, that is capable of enabling and disabling firewall settings without the need to restart the while firewall. It has states internally for the firewall settings. It also adds network/firewall zone support.
Also several services and applications are adding firewall rules directly which sometimes results in conflicts either in the firewall settings or at firewall access level.
I am working on the GUI configuration tool.
*) My home network consists of 2 laptops with fedora and one Macbook. I've placed my laptops into the 'home' zone. Now I wanted to share some files and used samba. I added the service, but next day it didn't work anymore. Do I really have to enable samba everytime I reboot the system with 'firewall-cmd --add --zone=home --service=samba'? How can I add a service permanently to a zone? Sorry if that's a stupid question but I couldn't find anything about that.
This is not properly documented, yet.
For now you have to manuylly copy the zone you want to modify from /usr/lib/firewalld/zones to /etc/firewalld/zones.
If you want to enable samba instead of samba-client just change the line <service name="samba-client"/> to <service name="samba"/> in the copy of the home zone in /etc/firewalld/zones.
The files in /usr/lib/firewalld are the default files. Files in /etc/firewalld/zones will overload the default files in /usr/lib/firewalld. There are three immutable zones in /usr/lib/firewalld/zones that can not be overloaded, though: block, drop and trusted. These zones are special, because they are either allowing or limiting everything.
More documentation is on the way.
*) I really, really love the zone idea. I hope the firewall-config tool, that is mentioned in the Fedora Feature Page, will be in the repository soon.
*) The firewall-applet doesn't do much at the moment, does it? Shouldn't the .desktop file be hidden, so it doesn't show up in the Applications (that's more a package maintainer problem, I guess)?
The desktop file should be removed, correct.
Well, that's it for now. I will be using it for a while and report bugs if I stumble over one. So far no problems in standard usage (that means no network printer, just casual home-user).
Thanks for testing.
dobu
Thomas
firewalld-users@lists.fedorahosted.org