Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Tue, 2012-11-13 at 19:44 -0500, Matthew Miller wrote:
> On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
> > > > Well with firewalld not installed and no iptables configs.. I would
> > > > believe that the default would be everything open... unless some other
> > > This is indeed the case.
> > And that's clearly not what we want. I thought it kind of went without
> > saying both that this would be the consequence of simply dropping
> > firewalld from the default install entirely, and that this would not be
> > acceptable :)
> 
> Agreed. *Particularly* if Firewalld is the default but does not nicely cover
> all needs. In the ideal world, one codebase would cover everything for all
> of Fedora. I don't think we're ready for that for F18, even if we do go
> ahead with making it the default, so we need to make sure that the fallback
> position is secure.

Well, sure, but you seem to be drifting the discussion a bit (or I did,
I've been out of town for the weekend, it gets confusing). As I recall
things, the basic goal we were working towards in this thread was the
reduction of the size of the minimal install. And I was suggesting
taking firewalld out entirely as a way of achieving that, until I
realized that would be stupid.

I don't think that maintaining iptables/s-c-f forever as a 'lightweight
alternative' to firewalld is the way to go, here. I'm not advocating
that we put iptables in @core and firewalld in @standard, or anything
like that. Someone else might want to advocate that, but I'm not. Since
I now figured out to my own satisfaction that we can't just ditch
firewalld from the minimal install, the focus in the context of this
goal should be on reducing its dependency load.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net