raising warning flag on firewalld-default feature

Matthew Miller mattdm at fedoraproject.org
Fri Nov 9 16:57:12 UTC 2012


On Fri, Nov 09, 2012 at 05:32:14PM +0100, Thomas Woerner wrote:
> >   - this turns out to be a big change!
> >   - there's little to no documentation
> Have you had a look at the man pages?

I missed the top-level man page and was looking at firewall-cmd, which is
not very helpful on its own. Starting from firewalld is much more helpful.
(Thanks!)

The Zone man page dumps me right into reading XML. :) This is the technical
documentation I was referring to, and I'm glad to see it _is_ there -- sorry
I missed it. I'm still not clear on some concepts, though -- particularly,
a zone is described as defining the "trust level of the interface used for a
connection", but in the man page for zones, "trust" isn't mentioned at all
-- instead, they appear to be the config files for firewall chains.

But I can get into my specific confusion in a separate thread. For the point
of view of the feature, we need to get some of this into web pages and maybe
online help for the GUI applet.


> >   - the UI is very confusing, with a large number of "zones" and no apparent
> >     way to configure those zones
> Go to the persistent view and you can configure zones, services and
> icmptypes.

I can certainly check and uncheck services and other things within zones,
but the GUI gives me no idea about what the zones mean and neither a way to
learn that nor a way to tell it -- I'd expect at least _one_ of those. I see
there's a "work" zone -- how does firewalld know I'm on the work network and
not at home or at a coffee shop?

> >   - no way to run once and exit for cloud guests with *non-dynamic* firewall
> >     needs, and it's a non-trivial user of system resources
> You can use the old firewall environment for static firewall use
> cases. Everything is still there.

Can I use them *both together*? If so, okay. If not, we should keep entirely
with the old one until this is really ready to take over.

> Firewalld is using about 12M of memory (RES), produces only a small
> amount of wakeups (< 0.1) if idle. Where is the non-trivial use of
> system resources.

That. That right there. When the net result of that is _no work done ever_,
multipled by a thousand of million, it's really not a good use of the
world's resources.

Even on a dynamic system, it's going to be idle most of the time, right?
Couldn't this be entirely D-BUS activated and exit after making changes? 


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  <mattdm at fedoraproject.org>


More information about the devel mailing list