raising warning flag on firewalld-default feature

Thomas Woerner twoerner at redhat.com
Fri Nov 9 16:32:14 UTC 2012 

On 11/09/2012 03:33 PM, Matthew Miller wrote:
> https://fedoraproject.org/wiki/Features/firewalld-default
>
> We have an accepted feature for Firewalld to be the default in Fedora 18.
>
> The old scripts are primitive and can't handle dynamic environments very
> well, so having something new and modern is admirable. The lokkit family of
> GUI config tools is primative enough to be considered dangerous. And a lot
> of integration work has been done in NetworkManager, libvirt, and a bunch of
> other places.
>
> But, I think we should strongly consider pushing this to F19, because:
>
>    - this turns out to be a big change!
>    - there's little to no documentation
Have you had a look at the man pages?

>    - the UI is very confusing, with a large number of "zones" and no apparent
>      way to configure those zones
Go to the persistent view and you can configure zones, services and 
icmptypes.

>    - toolset is not yet robust -- has funny things like `firewall-cmd
>      --enable` enables *panic mode*.
Nice find. You are the first to get this. Will work on it.

>    - no way to run once and exit for cloud guests with *non-dynamic* firewall
>      needs, and it's a non-trivial user of system resources
You can use the old firewall environment for static firewall use cases. 
Everything is still there.

Firewalld is using about 12M of memory (RES), produces only a small 
amount of wakeups (< 0.1) if idle. Where is the non-trivial use of 
system resources.

>
> The alternative is to enable it by default in some cases but not in others,
> but I think that's just confusing. We should wait until it's ready and then
> turn it on everywhere.
>
> I think this bug is illustrative of the problems we're going to see if we
> ship as-is: <https://bugzilla.redhat.com/show_bug.cgi?id=869625>. Stef isn't
> trying to anything crazy, but is both foiled by the lack of options and
> confused by the choices that are there. We're going to get a lot more bugs
> like this, and worse, unhappy users.
>
libvirt is creating the firewall rules for guests - it is doing this 
with the old static model, where you loose these rules in case of other 
firewall changes, or with firewalld, but here changes are dynamic.

> The lack of documentation is really the showstopper here. If we had really
> good 1) hand-holding documentation and 2) technical documentation for
> admins, I'd be more willing to take the risk. (In an even more ideal world,
> the UI would be so well designed that the hand-holding documentation
> wouldn't be necessary.)
>
>
>

More information about the devel mailing list