On Tue, 2 Dec 2014 11:30, Ludwig Nussel <ludwig.nussel@...> wrote:
Am 02.12.2014 um 11:16 schrieb Stephan Kulow:
On 02.12.2014 11:09, Mathias Homann wrote:
There's no need to fully configure the firewalld firewall during installation: Firewalld is meant to be used with network manager, as in, for machines where at installation time you don't necessarily know what the network is going to be like. by default any new interface will be put into the public zone, where only ssh and dhcpv6c are allowed in, and that is enough for setups like that. Later the user will specify which zone should be used for which interface, based on which connection is active.
The initial choice of zone from within a text mode yast at setup time could be done with firewall-cmd from within a script, but the required yast module needs to be written by someone else... I don't know how to do that.
But then let's wait with Factory integration till that someone was found.
Chicken and egg problem I guess :-) Having a proper firewalld package in Factory would be a good start at least. It can't be the default or even recommended until the integration with YaST and packages providing service files are solved of course.
Proposal for a interims solution: Facts: - We need a tool that can read and convert SuSEfirewall2 rules, both, /etc/sysconfig/SuSEfirewall2 and /etc/sysconfig/SuSEfirewall2.d/* Proposal: - Why not set a point ontop of that: Store the timestap/checksum of the original config files as comments into the converted config files, so that for the next run only the changed files are touched. - On 'PreStart' of firewalld run the convert-tool, to make sure we have the actual ruleset. That way YaST2 does not need to know anything about firewalld atm. Sure, best case would be generic firewall module for YaST2, with backends for the installed firewall-software (SuSEfirewall2, firewalld, shorewalld, etc) For Yast-modules, well, I can't stand ruby as language at all. It's a nightmare and boogyman for me. Indentations! (Shudders) - Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org