On Wed, Jan 31, 2018 at 5:43 AM, Matthias Gerstner
Hello,
are there plans to implement "everything" that SuSEfirewall2 did under the hood, with firewalld or other mechanisms?
not everything. It's a best effort approach. I would say the aim is to be able to migrate typical use cases without much troubles.
Best effort is certainly practical. I guess my only expectation be that when enabling a service the same rules be added that SF2 would add, if possible. For example, enabling the apache2 service: - yast firewall services add service=service:apache2 zone=EXT - LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " - ACCEPT tcp -- anywhere anywhere tcp dpt:http
Not all features that SF2 provides are still relevant today or they cause complexities that are difficult to manage. firewalld on the other also provides features that SF2 does not have. A clean and well defined interface for example.
I liked how SF2 created the LOG rules for each services enabled and would hate to see it go away.
SF2 allowed very complex LOG rule setups. firewalld only allows to generally log dropped/rejected packets independently of the involved service. You can still add custom LOG rules.
How about the more obscure things like loading kernel modules when FW_KERNEL_SECURITY or FW_LOAD_MODULES are set.
Regarding KERNEL_SECURITY the kernel has improved much in terms of default values. SF2 currently only touches three items: log_martians, accept_source_route and rp_filter. This option also was a source of confusion in the past, because it didn't respect sysctl configuration. It's better to perform these settings explicitly via sysctl in the future.
I agree these should be set via sysctl and it's bitten me in the past.
Regarding FW_LOAD_MODULES, firewalld is able to load required modules like nf_conntrack_netbios_ns in a service context. For example if the samba-client service is enabled then this module will implicitly be loaded.
What about "yast firewall", will this be ported? I'm sure there are more, but these are the few that come to mind.
The YaST firewall module will be delayed a bit. There will be a time without a functioning one. As long as you have an X server available you can use the firewall-config GUI instead.
I'm less concerned about the GUI, I typically only use it to see what values it would set in /etc/sysconfig/SuSEfirewall2. I'm more interested in the CLI interface that 'yast firewall' provides, but I guess that would be replaced by firewall-cmd. I wrote the susefw Puppet module and that leverages the CLI, but since I'm no longer using Puppet it'll probably just die a slow death.
Generally I'd like to say that you can also contribute to firewalld to add features that are missing at the moment. I have the impression that the upstream project is a bit thin on man power at the moment.
Regards
Matthias
-- Matthias Gerstner
Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Telefon: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org