raising warning flag on firewalld-default feature

[Matthew Miller]

https://fedoraproject.org/wiki/Features/firewalld-default

We have an accepted feature for Firewalld to be the default in Fedora 18.

The old scripts are primitive and can't handle dynamic environments very
well, so having something new and modern is admirable. The lokkit family of
GUI config tools is primative enough to be considered dangerous. And a lot
of integration work has been done in NetworkManager, libvirt, and a bunch of
other places.

But, I think we should strongly consider pushing this to F19, because:

  - this turns out to be a big change!
  - there's little to no documentation
  - the UI is very confusing, with a large number of "zones" and no apparent
    way to configure those zones
  - toolset is not yet robust -- has funny things like `firewall-cmd
    --enable` enables *panic mode*.
  - no way to run once and exit for cloud guests with *non-dynamic* firewall
    needs, and it's a non-trivial user of system resources

The alternative is to enable it by default in some cases but not in others,
but I think that's just confusing. We should wait until it's ready and then
turn it on everywhere.

I think this bug is illustrative of the problems we're going to see if we 
ship as-is: <https://bugzilla.redhat.com/show_bug.cgi?id=869625>. Stef isn't
trying to anything crazy, but is both foiled by the lack of options and
confused by the choices that are there. We're going to get a lot more bugs
like this, and worse, unhappy users.

The lack of documentation is really the showstopper here. If we had really
good 1) hand-holding documentation and 2) technical documentation for
admins, I'd be more willing to take the risk. (In an even more ideal world,
the UI would be so well designed that the hand-holding documentation
wouldn't be necessary.)



-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  <mattdm at fedoraproject.org>