On Tue, 27 Jan 2015 02:07, Karol Mroz wrote:
This is an interesting topic, and I have some time, so I wouln't mind picking this up and seeing where we can take it.
Firewalld looks to have some merit, and while I've not yet used it extensively, it does offer some nice features: similar to SF2 it's based on zones, clean interface, large list of supported services, d-bus interface, etc. I tried firewalld with Wicked instead of NM, and while configuration must be done by manually inputting interface names, I suspect we could get some communication happening between the two over d-bus as well. Perhaps we could also build some support for configuration via ifcfg- files in the future. Just some thoughts.
After going through this thread, I find the idea of peaceful coexistence (especially at the beginning) quite agreeable. As proposed, I think a similar approach to Wicked/NM selection could be built into the yast2-firewall, and if firewalld is selected, a decent place to start would be to have YaST2 run the firewalld GUI. This would hopefully get more folks trying firewalld and evaluating it's usability as an alternative or a replacement, or whatever we decide. Later on, we could look at the effort involved in things like converting /etc/sysconfig/SuSEfirewall2 and others into firewalld parsable forms. For now, both packages could exist on the system together, with only one enabled and running at a given time. I'm not a YaST developer, but it might be fun to give it a go :)
I think some great ideas came out of this thread, so let's keep the channel open. If anyone has any feedback, more ideas, concerns, please share them.
A few thing to note upon: - GUI is GTK only, Yast GTK UI port is the way of the dodo, only qt GUI works. - no ncurses interface. - for full integration into Yast, the firewalld cli would have to be used. - migration from personal iptables-rules is not automatic. Info : http://www.firewalld.org/documentation/ https://fedoraproject.org/wiki/FirewallD I'm not against, but the missing migration is raising my hackles. That is a point to get working, after that the resistance against a change as default firewall should be much less. For a fresh desktop install, which no config transfer from a old system, sure, it is a possiblity to use it now. For a server with no GUI? no good atm. Trying to convert your special iptables rules to firewalld? Well, starting anew is faster, no help for converting. Better to know what is waiting ahead than running blind into it. Could we get it into shape for SLE13? -- Possible, sure. Ready for OSS.next? -- very unsure, but lets start. - Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org