raising warning flag on firewalld-default feature
Thomas Woerner
twoerner at redhat.com
Tue Nov 13 17:37:37 UTC 2012
On 11/13/2012 06:16 PM, Dennis Jacobfeuerborn wrote:
> On 11/13/2012 05:28 PM, Thomas Woerner wrote:
>> On 11/13/2012 03:46 PM, Matthew Miller wrote:
>>> On Tue, Nov 13, 2012 at 02:28:17PM +0100, Tomasz Torcz wrote:
>>>>>>> Here, I mostly don't see the reason for it to be running all the time.
>>>>>>> Couldn't it be dbus activated, and then go away when it's not needed?
>>>>>>> Then,
>>>>>>> it would matter less what it was written in.
>>>>>> It would loose internal state if it would be D-BUS activated.
>>>>> Surely it could persist it somewhere?
>>>> Like in the actual netfilter rules?
>>>
>>> Yes.
>>>
>>> It has to be able to save internal state *somehow*, because if restarting
>>> the service breaks everything, we're not gaining much over the old way, are
>>> we? Plus, for a critical service like this, the service needs to be designed
>>> to be as robust as possible in situations where it might crash or get killed
>>> arbitrarily.
>>>
>> With the old static firewall model every firewall change was a complete
>> firewall recreate with conntrack loss. With firewalld changes to the
>> firewall are done dynamically and conntrack is preserved.
>
> That's not correct. You can modify the firewall just fine without
> restarting it.
>
This is related to system-config-firewall/lokkit. You are right, if you
are using iptables directly then you do not have this limitation.
firewalld is a replacement for s-c-fw/lokkit.
> Regards,
> Dennis
>
More information about the devel
mailing list