Mailinglist Archive: opensuse-factory (956 mails)

< Previous Next >
[opensuse-factory] Time to rehash SuSEFirewall2
Hello Folks,

So, just offering my opinion on what I personally feel is an "issue" for
OpenSUSE with regards to its firewall.

Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule
- this goes completely against what is advocated by the Netfilter developers
as it is not atomic and is costly in terms of performance; iptables-restore on
the other hand, is atomic and restores everything in one fell swoop.

Additionally, whilst SuSEFirewall2 does provide for allowing you to configure
your own rules, it's not particularly robust, nor supported.

Thus, my suggestion is as follows:

Modify SuSEFirewall2 so that rule building happens *once* and from that point,
ip(6)tables-save and ip(6)tables-restore is all that gets used. SuSEFirewall2
need only do a rebuild if the rules are modified.

Doing it this way carries the benefit that initialisation of Netfilter at
bootup will be far more efficient. It also has the benefit that any advanced
user is free to customise their iptables ruleset as they see fit, currently,
the only other way I have found to do that is dragging across iptables scripts
from Enterprise Linux and disabling SuSEFirewall2.

Regards,
Oliver
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups