Hello, On Mon, Jan 22, 2018 at 12:34:35PM +0200, Robert Munteanu wrote:
Is there a plan or some guidance for packages that drop files in /etc/sysconfig/SuSEfirewall2.d/services/ ?
$ ls -1 /etc/sysconfig/SuSEfirewall2.d/services/ | grep -v TEMPLATE | wc -l 33
With firewalld these files are no longer needed. Firewalld ships builtin
service definitions which can be listed via
$ firwall-cmd --get-services
You can get the definition of a single service like this
$ firewall-cmd --info-service=samba-client
These service names can then be used for opening them in a certain zone:
$ firewall-cmd --add-service=samba-client --zone=internal [--permanent]
You can also find the XML definitions of the services in
/usr/lib/firewalld/services.
I think the SuSEfirewall2 service files should stay around until the
migration to the new default firewall is complete. We can get rid of
these files only after SuSEfirewall2 has been completely removed from
openSUSE. It's unconvenient that these files are spread across many
different packages so it will probably take a while until they're all
cleaned up.
If anybody thinks that a service definition is missing in firewalld then
please tell me so we can see what to do about it. The correct way in
such cases would probably be to contribute suitable files to firewalld
upstream. New firewalld services can also be added dynamically during
runtime. Here is some upstream documentation on adding services:
http://www.firewalld.org/documentation/howto/add-a-service.html
So there's /etc/firewalld/services for custom services but dropping
service files into /usr/lib/firewalld/services seems also to be
supported.
Should many additional service files be needed (what I don't hope) then
we could also think about introducing a separate package that holds all
those custom service files. This would make maintaining them easier from
the firewall perspective. But adds some burden to packagers that need
changes to them.
Regards
Matthias
--
Matthias Gerstner