Hi, exactly the way I see it, actually. On a server with a permanent internet connection, SFW2 is just right, especially with all the logging options and rate limiting, but for a client computer firewalld is quite nice, seeing how an end user would not really want to read firewall logs (or even be able to), but the end user would perhaps want the flexibility of a networkmanager/firewalld combination. ... I know I do, on my laptop. Cheers MH On 12/02/2014 03:17 PM, Darin Perusich wrote:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall. The question is how painful the migration path is. SuSEfirewall2 exists for a long time so there are many people with grown configurations. So the premium migration path would be if /etc/sysconfig/SuSEfirewall2 could be converted automatically, at least to some degree. I guess there is no chance for custom rules
Am 02.12.2014 um 09:49 schrieb Mathias Homann: though. Also, packages that drop stuff in /etc/sysconfig/SuSEfirewall2.d/services need to be adjusted to do the equivalent for firewalld. Actually... I see two different target audiences here, firewalld in my POV is for end user pcs, specifically laptops with multiple connections, and SuSEfirewall2 is for server setups, with a maximum of 3 zones... so
On 12/02/2014 11:20 AM, Ludwig Nussel wrote: there's not all that much overlap. Anyway I'll see if I can find time to do at least a rough draft of a wiki page at some point between travelling and work... Guess it's a good thing that I'm teaching this stuff :) SWF2 and firewalld are tools for managing and defining firewall rules. firewalld is no more tailored to end user systems than SFW2 is designed for servers, both tools are used to manage firewall rules,
On Tue, Dec 2, 2014 at 6:22 AM, Mathias Homann <Mathias.Homann@opensuse.org> wrote: the biggest difference from what I see is firewalld dynamically added rules w/o clearing the existing state, which is certainly a nice feature.
Having no experience w/it, other than reading docs, I spun up a centos7 system and have done a quick comparison of a simple rule, sshd, between it and my opensuse 13.1 system. First impressions, firewall-cmd is much faster then 'yast firewall services' at adding/removing services. Not too surprising given one's written in python and the other is a bash script.
Biggest issues I see is there is no LOG rules by default. On of the things I really like about SFW2 is it logs all DENY and ACCEPT, rate limited of course, packets destined for the system. IMO this is invaluable when troubleshooting inbound connectivity issues or to simply see if anyone is probing your system.
I'll need to play more, but it's going to require a lot of work to port/migrate from SFW2 to firewalld, especially given how intrenched SFW2.
cheers MH
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there. It's a wiki, you just need to log in with your opensuse account to be able to edit pages :-)
cu Ludwig
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org