Setting the default firewall configuration (was Re: Attention, dependency fighters)
Miloslav Trmač
mitr at volny.cz
Wed Nov 14 10:34:56 UTC 2012
On Wed, Nov 14, 2012 at 2:35 AM, Matthew Miller
<mattdm at fedoraproject.org> wrote:
> Well. I may be a little bit cynical on this, but I think the unsteered drift
> of this kind of thing goes like this:
>
> 1. Shiny new feature covers the desktop case, so let's make it the default
> in Fedora.
> 2. "Don't worry, if you have other needs, the old way still works".
> 3. So many things get updated to the new way that the old way isn't
> reasonable anymore, but *those other use cases never get consideration*.
>
> It's like step 2 magically covers the end game. But of course it doesn't.
That's not at all the case with firewalld. 2 ouf of 4 of the concerns
that led to firewalld being postponed in F17 were
server/enterprise-related, and AFAIK are now resolved. Yes, the
documentation is still not great, but that's something that can
realistically be improved before GA.
> I'm not against progress. The static firewall scripts don't cover a lot of
> cases, and are particularly a pain with virt. But let's not jump ahead of
> ourselves without at _least_ a plan.
AFAIK the major things for our usual use cases are covered, at least
going by the F17 criteria. Sure, there may be more things missing.
Looking at hour original warning flag: Squeezing every last megabyte
out of the running system for cloud is a really new thing that we
haven't historically required. Sure, it would be great to make
firewalld smaller (and rewriting firewalld to C is one of those things
that have been promised a long time ago and never happened), but I
don't really see that as a blocker.
> So that's a little bit of a tangent, but, as outlined in the other thread, I
> don't think firewalld is at a point where making it the default would be
> a good for Fedora. Maybe it could be by F19. Reducing the dependency load is
> just one part of that.
>
> In the meantime, I think we should make sure a newly installed system with
> either firewalld or the old thing (now called iptables-service) has a
> sensible firewall out of the box. (Same all-closed-but-ssh as we've had
> forever, I expect.)
We _cannot_ have two different firewalls equally supported, each with
its own command line and API. Applications won't support both
equally, documentation won't support both equally, QA won't cover both
equally, users will be confused.
We'd get the 8-years duplication of init.d/network vs. NetworkManager
all over again, and I personally strongly want to avoid that (this was
a third of my FESCo election platform).
Mirek
More information about the devel
mailing list