Setting the default firewall configuration (was Re: Attention, dependency fighters)

Adam Williamson awilliam at redhat.com
Fri Nov 9 23:24:02 UTC 2012 

On Fri, 2012-11-09 at 15:06 -0800, Adam Williamson wrote:

> Right now it seems like anaconda actually just throws firewalld into the
> target package set in absolutely all cases, like it does with
> authconfig, which I think is wrong. As the above makes clear, it only
> really makes sense to use anaconda's mechanism for adding packages to
> the to-be-installed set when they may or may not need to be installed
> depending on the path taken through installation. If we really want
> these to be in all installs, unconditionally, we should just put them in
> the @core group in comps. For authconfig, this may be the correct way to
> go. But for firewalld, it seems to me that so far as anaconda is
> concerned, it only needs to go into the installed system if the user has
> requested firewall configuration as part of the install, which I don't
> believe is the default and in fact is only available through kickstarts
> (so it's probably an uncommon case). It should be made conditional in
> anaconda, anaconda should not be forcing it into the to-be-installed
> package set in all cases.
> 
> We already have firewalld in the 'standard' set in comps, which seems
> like about the right place for it - it'll be in most installs, but not
> minimal ones, if anaconda gets fixed up.

So I just followed this up in IRC. It turns out that right now, anaconda
always (or at least by default) *does* touch the firewall: it opens up
port 22. So that's why firewalld is getting added to the to-be-installed
package set unconditionally. Given the current behaviour, that's
correct.

However, it seems like somewhat silly behaviour. If our default firewall
configuration is supposed to be 'port 22 open' we should express that in
our firewall package, not set a default in the firewall package then
have the installer change it. That's just needless complexity (and
results in the problem of firewalld being in the minimal install, where
it maybe doesn't actually need to be). So perhaps we should change
firewalld to default to opening port 22.

Jesse points out that this kind of discussion usually gets derailed in
spectacularly unhelpful directions:

<jlk> right
 this usually gets us into an argument with the "community"
 and people suggesting, then arguing against, packages shipping their
own firewall config
 so whether ssh is open or not depends on if you install ssh
<jlk> then somebody mentions German privacy laws and the whole thread
goes nowhere.

So if you're going to follow up on this - there are fun discussions to
be had about the pros and cons of letting packages ship firewall
configs, but please don't do it in this thread, start a new one if you
must. Having firewalld ship a 'port 22 open' default may not be the best
way to do things in the best of all possible worlds, but it is at least
_more_ sensible than having the installer set the default firewall
policy. And for the love of God, please don't bring up German privacy
laws.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list