[opensuse-factory] firewalld as alternative for SuSEfirewall2?
Hi, Request for discussion: Should we offer firewalld as alternative/complement for SuSEfirewall2? I think we should... reasoning: mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones. I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2. Progress report will follow in due time. cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 25.11.2014 13:21, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative/complement for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
I've just checked some firewalld documentation and it seems to be very similar to what SuSEfirewall2 can do. It even looks like "inspired by SuSEfirewall2" ;) The current Yast can't work with firewalld and most probably will not support it short-time, but adjusting Yast to understand both would be possible. The question is: is that actually needed? Is there a UI tool for configuring firewalld? Is there any other use-case than multiple wifi setups (comparing to SuSEfirewall2)? Thanks Lukas -- Lukas Ocilka, Systems Management (Yast) Team Leader Cloud & Systems Management Department, SUSE Linux -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/25/2014 07:42 AM, Lukas Ocilka wrote:
I've just checked some firewalld documentation and it seems to be very similar to what SuSEfirewall2 can do. It even looks like "inspired by SuSEfirewall2" ;)
One thing that's needed is proper support for IPv6. It's becoming more common these days. I've been running it on my home network for about 4.5 years. I had to manually edit the SuSEfirewall2 file to make some IPv6 changes. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 25.11.2014 13:53, James Knott wrote:
On 11/25/2014 07:42 AM, Lukas Ocilka wrote:
I've just checked some firewalld documentation and it seems to be very similar to what SuSEfirewall2 can do. It even looks like "inspired by SuSEfirewall2" ;)
One thing that's needed is proper support for IPv6. It's becoming more common these days. I've been running it on my home network for about 4.5 years. I had to manually edit the SuSEfirewall2 file to make some IPv6 changes.
Sure, IPv6 should be definitely supported. What exactly did you have to do manually? Have you reported any bugs for that? If the Yast UI doesn't support IPv6, it needs to be fixed. Thx Lukas -- Lukas Ocilka, Systems Management (Yast) Team Leader Cloud & Systems Management Department, SUSE Linux -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 11/25/2014 07:59 AM, Lukas Ocilka wrote:
Sure, IPv6 should be definitely supported.
What exactly did you have to do manually? Have you reported any bugs for that? If the Yast UI doesn't support IPv6, it needs to be fixed.
I had to set up a forwarding rule for IPv6 to allow routing to/from the Internet. Also, SuSEfirewall2 does not recognize the tunnel I use to get IPv6. On my firewall, that tunnel is called "sit1". This is the first line from ifconfig for that tunnel: sit1 Link encap:IPv6-in-IPv4 However, that tunnel does not appear in the Yast SuSEfirewall2 configuration. Also, I have worked with fwbuilder in the past. With it, you could set up rules that applied to IPv4, IPv6 or both. There is nothing like that in SuSEfirewall2. On commercial grade routers from Cisco, you'd have separate access lists for IPv4 and IPv6 that allow independent rules for each. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Dienstag 25 November 2014, 13:21:43 schrieb Mathias Homann:
Hi,
Request for discussion: Should we offer firewalld as alternative/complement for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
https://build.opensuse.org/project/show/home:lemmy04:firewalld XD I am using firewalld + Networkmanager on 13.2 on my laptop and it works just fine, and from a enduser POV much better than SuSEfirewall2. on OBS I still have one rpmlint warning that I can't get rid of, and adding a filter didn't work... any ideas? cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Nov 28, 2014 at 12:19:59PM +0100, Mathias Homann wrote:
Am Dienstag 25 November 2014, 13:21:43 schrieb Mathias Homann:
Hi,
Request for discussion: Should we offer firewalld as alternative/complement for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
https://build.opensuse.org/project/show/home:lemmy04:firewalld XD
I am using firewalld + Networkmanager on 13.2 on my laptop and it works just fine, and from a enduser POV much better than SuSEfirewall2. on OBS I still have one rpmlint warning that I can't get rid of, and adding a filter didn't work... any ideas?
Was the message not clear? [ 135s] firewalld.noarch: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/FirewallD.conf [ 135s] The package installs a DBUS system service file. If the package is intended [ 135s] for inclusion in any SUSE product please open a bug report to request review [ 135s] of the service by the security team. I opened https://bugzilla.suse.com/show_bug.cgi?id=907625 for you and for our auditing. It would be nice if you could research if SUSEfirewall2 functionality can be integrated if not there yet, or document a migration. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, the message was clear, I guess I wasn't... what I meant was "There are rpmlint errors right now that I can't filter away to test the built packages". Anyway, "integrating SuSEfirewall2", what do you mean by that? firewalld already does everything SFW2 can do, and more... Cheers, MH On 11/28/2014 01:05 PM, Marcus Meissner wrote:
On Fri, Nov 28, 2014 at 12:19:59PM +0100, Mathias Homann wrote:
Am Dienstag 25 November 2014, 13:21:43 schrieb Mathias Homann:
Hi,
Request for discussion: Should we offer firewalld as alternative/complement for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
https://build.opensuse.org/project/show/home:lemmy04:firewalld XD
I am using firewalld + Networkmanager on 13.2 on my laptop and it works just fine, and from a enduser POV much better than SuSEfirewall2. on OBS I still have one rpmlint warning that I can't get rid of, and adding a filter didn't work... any ideas? Was the message not clear?
[ 135s] firewalld.noarch: E: suse-dbus-unauthorized-service (Badness: 10000) /etc/dbus-1/system.d/FirewallD.conf [ 135s] The package installs a DBUS system service file. If the package is intended [ 135s] for inclusion in any SUSE product please open a bug report to request review [ 135s] of the service by the security team.
I opened https://bugzilla.suse.com/show_bug.cgi?id=907625 for you and for our auditing.
It would be nice if you could research if SUSEfirewall2 functionality can be integrated if not there yet, or document a migration.
Ciao, Marcus
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 01 December 2014 14.49:16 Mathias Homann wrote:
Hi,
the message was clear, I guess I wasn't... what I meant was "There are rpmlint errors right now that I can't filter away to test the built packages".
Anyway, "integrating SuSEfirewall2", what do you mean by that? firewalld already does everything SFW2 can do, and more...
Cheers, MH
I'm guessing what Marcus is believing ... If firewalld will be replacement for susefirewall then a lot of migration will have to be played by users and administrators. So adding a readme, howto, preparing a wiki page with receipts and/or asking help for migration rules, scripts + asking obs admin help to prepare a list of all packages creating SFW2 rules to warn maintainer etc. This effort beside just the packaging (which is the first important step, don't get me wrong) is preparing the future for the benefit of all. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Board, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-01 18:54, Bruno Friedmann wrote:
I'm guessing what Marcus is believing ...
If firewalld will be replacement for susefirewall then a lot of migration will have to be played by users and administrators.
So adding a readme, howto, preparing a wiki page with receipts and/or asking help for migration rules, scripts + asking obs admin help to prepare a list of all packages creating SFW2 rules to warn maintainer etc.
This effort beside just the packaging (which is the first important step, don't get me wrong) is preparing the future for the benefit of all.
And investigate whether both can coexist for some time. For instance, some people are not upgrading to 13.2, or going back to 13.1, because nobody seems to know how to migrate if-up scripts to wicked, or they can't make them work. And apparently, if-up is not available as an alternative. Having the old method together with the new one for a time, and a compatibility layer, like we have with systemd, is crucial. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR8vH8ACgkQtTMYHG2NR9VDOACfXMB/b2SMiw5XCmJ3X4PUCuiF 6yEAnjRj4RFwX1f/niQcOvxyMoDrrlo9 =reCW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
And investigate whether both can coexist for some time.
as well as recognize that some will choose to use yet other server-class solutions, such as shorewall, which will necessary conflict with os-'native' options -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 01 December 2014 11.11:02 grantksupport@operamail.com wrote:
And investigate whether both can coexist for some time.
as well as recognize that some will choose to use yet other server-class solutions, such as shorewall, which will necessary conflict with os-'native' options
shorewall already conflict with susefirewall you can't have them both, cause it's stupid. and if you choose shorewall, it's because you know what's you're doing with. I don't see any changes with that. firewallD will be the default. so the trouble is not it will replace shorewall it you choose it. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Board, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
firewallD will be the default. so the trouble is not it will replace shorewall it you choose it.
Noone's suggested running multiple firewall mgmt sys' at the same time. The issues are with firewall-relevant, network-related systemd dependencies & ordering in wicked*/network* unit files. As currently implemented -- with just SuseFirewall -- they're problematic. Simply adding firewalld to the mix without thinking those issues through first isn't recommend, and will compound existing problems. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 01 December 2014 20.07:44 Carlos E. R. wrote:
On 2014-12-01 18:54, Bruno Friedmann wrote:
I'm guessing what Marcus is believing ...
If firewalld will be replacement for susefirewall then a lot of migration will have to be played by users and administrators.
So adding a readme, howto, preparing a wiki page with receipts and/or asking help for migration rules, scripts + asking obs admin help to prepare a list of all packages creating SFW2 rules to warn maintainer etc.
This effort beside just the packaging (which is the first important step, don't get me wrong) is preparing the future for the benefit of all.
And investigate whether both can coexist for some time. coexist : pretty sure not it's about security. but making the package conflicting and being able to choose which one you want why not. But who will maintain two full sets of rules, two yast interface etc ... You ?
For instance, some people are not upgrading to 13.2, or going back to 13.1, because nobody seems to know how to migrate if-up scripts to wicked, or they can't make them work. And apparently, if-up is not available as an alternative. So what ... just a proof that not enough people had tested scenario during 13.2 dev time. Guess what, is that changing now, at least wicked got attention and bugreports so fixes will come ;-)
Having the old method together with the new one for a time, and a compatibility layer, like we have with systemd, is crucial.
Don't diverge, iptables ip6tables were there, and will stay (at least until the name change)
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Board, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall. I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there. Cheers MH On 12/01/2014 08:46 PM, Bruno Friedmann wrote:
On Monday 01 December 2014 20.07:44 Carlos E. R. wrote:
On 2014-12-01 18:54, Bruno Friedmann wrote:
I'm guessing what Marcus is believing ...
If firewalld will be replacement for susefirewall then a lot of migration will have to be played by users and administrators.
So adding a readme, howto, preparing a wiki page with receipts and/or asking help for migration rules, scripts + asking obs admin help to prepare a list of all packages creating SFW2 rules to warn maintainer etc.
This effort beside just the packaging (which is the first important step, don't get me wrong) is preparing the future for the benefit of all. And investigate whether both can coexist for some time. coexist : pretty sure not it's about security. but making the package conflicting and being able to choose which one you want why not. But who will maintain two full sets of rules, two yast interface etc ... You ? For instance, some people are not upgrading to 13.2, or going back to 13.1, because nobody seems to know how to migrate if-up scripts to wicked, or they can't make them work. And apparently, if-up is not available as an alternative. So what ... just a proof that not enough people had tested scenario during 13.2 dev time. Guess what, is that changing now, at least wicked got attention and bugreports so fixes will come ;-) Having the old method together with the new one for a time, and a compatibility layer, like we have with systemd, is crucial. Don't diverge, iptables ip6tables were there, and will stay (at least until the name change)
-- Cheers / Saludos,
Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 02.12.2014 09:49, Mathias Homann wrote:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall.
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there.
grep -ril firewall /usr/share/YaST2/ | wc -l gives 102 on my factory installation. What's your plan with that? Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
...someone needs to write a yast module? I say "someone" as in "someone who knows how to do this" as in "not me". That being said, firewalld has a graphical configuration utility, yast2 could for a start just run that... Cheers MH On 12/02/2014 10:02 AM, Stephan Kulow wrote:
On 02.12.2014 09:49, Mathias Homann wrote:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall.
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there.
grep -ril firewall /usr/share/YaST2/ | wc -l gives 102 on my factory installation.
What's your plan with that?
Greetings, Stephan
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 02.12.2014 10:11, Mathias Homann wrote:
...someone needs to write a yast module?
I say "someone" as in "someone who knows how to do this" as in "not me".
That being said, firewalld has a graphical configuration utility, yast2 could for a start just run that...
During installation? Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, There's no need to fully configure the firewalld firewall during installation: Firewalld is meant to be used with network manager, as in, for machines where at installation time you don't necessarily know what the network is going to be like. by default any new interface will be put into the public zone, where only ssh and dhcpv6c are allowed in, and that is enough for setups like that. Later the user will specify which zone should be used for which interface, based on which connection is active. The initial choice of zone from within a text mode yast at setup time could be done with firewall-cmd from within a script, but the required yast module needs to be written by someone else... I don't know how to do that. Cheers Mathias On 12/02/2014 10:31 AM, Stephan Kulow wrote:
On 02.12.2014 10:11, Mathias Homann wrote:
...someone needs to write a yast module?
I say "someone" as in "someone who knows how to do this" as in "not me".
That being said, firewalld has a graphical configuration utility, yast2 could for a start just run that...
During installation?
Greetings, Stephan
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 02.12.2014 11:09, Mathias Homann wrote:
Hi,
There's no need to fully configure the firewalld firewall during installation: Firewalld is meant to be used with network manager, as in, for machines where at installation time you don't necessarily know what the network is going to be like. by default any new interface will be put into the public zone, where only ssh and dhcpv6c are allowed in, and that is enough for setups like that. Later the user will specify which zone should be used for which interface, based on which connection is active.
The initial choice of zone from within a text mode yast at setup time could be done with firewall-cmd from within a script, but the required yast module needs to be written by someone else... I don't know how to do that.
But then let's wait with Factory integration till that someone was found. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 02.12.2014 um 11:16 schrieb Stephan Kulow:
On 02.12.2014 11:09, Mathias Homann wrote:
There's no need to fully configure the firewalld firewall during installation: Firewalld is meant to be used with network manager, as in, for machines where at installation time you don't necessarily know what the network is going to be like. by default any new interface will be put into the public zone, where only ssh and dhcpv6c are allowed in, and that is enough for setups like that. Later the user will specify which zone should be used for which interface, based on which connection is active.
The initial choice of zone from within a text mode yast at setup time could be done with firewall-cmd from within a script, but the required yast module needs to be written by someone else... I don't know how to do that.
But then let's wait with Factory integration till that someone was found.
Chicken and egg problem I guess :-) Having a proper firewalld package in Factory would be a good start at least. It can't be the default or even recommended until the integration with YaST and packages providing service files are solved of course. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5; 90409 Nürnberg; Germany -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, 2 Dec 2014 11:30, Ludwig Nussel <ludwig.nussel@...> wrote:
Am 02.12.2014 um 11:16 schrieb Stephan Kulow:
On 02.12.2014 11:09, Mathias Homann wrote:
There's no need to fully configure the firewalld firewall during installation: Firewalld is meant to be used with network manager, as in, for machines where at installation time you don't necessarily know what the network is going to be like. by default any new interface will be put into the public zone, where only ssh and dhcpv6c are allowed in, and that is enough for setups like that. Later the user will specify which zone should be used for which interface, based on which connection is active.
The initial choice of zone from within a text mode yast at setup time could be done with firewall-cmd from within a script, but the required yast module needs to be written by someone else... I don't know how to do that.
But then let's wait with Factory integration till that someone was found.
Chicken and egg problem I guess :-) Having a proper firewalld package in Factory would be a good start at least. It can't be the default or even recommended until the integration with YaST and packages providing service files are solved of course.
Proposal for a interims solution: Facts: - We need a tool that can read and convert SuSEfirewall2 rules, both, /etc/sysconfig/SuSEfirewall2 and /etc/sysconfig/SuSEfirewall2.d/* Proposal: - Why not set a point ontop of that: Store the timestap/checksum of the original config files as comments into the converted config files, so that for the next run only the changed files are touched. - On 'PreStart' of firewalld run the convert-tool, to make sure we have the actual ruleset. That way YaST2 does not need to know anything about firewalld atm. Sure, best case would be generic firewall module for YaST2, with backends for the installed firewall-software (SuSEfirewall2, firewalld, shorewalld, etc) For Yast-modules, well, I can't stand ruby as language at all. It's a nightmare and boogyman for me. Indentations! (Shudders) - Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 02.12.2014 um 09:49 schrieb Mathias Homann:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall.
The question is how painful the migration path is. SuSEfirewall2 exists for a long time so there are many people with grown configurations. So the premium migration path would be if /etc/sysconfig/SuSEfirewall2 could be converted automatically, at least to some degree. I guess there is no chance for custom rules though. Also, packages that drop stuff in /etc/sysconfig/SuSEfirewall2.d/services need to be adjusted to do the equivalent for firewalld.
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there.
It's a wiki, you just need to log in with your opensuse account to be able to edit pages :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5; 90409 Nürnberg; Germany -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/02/2014 11:20 AM, Ludwig Nussel wrote:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall. The question is how painful the migration path is. SuSEfirewall2 exists for a long time so there are many people with grown configurations. So the premium migration path would be if /etc/sysconfig/SuSEfirewall2 could be converted automatically, at least to some degree. I guess there is no chance for custom rules
Am 02.12.2014 um 09:49 schrieb Mathias Homann: though. Also, packages that drop stuff in /etc/sysconfig/SuSEfirewall2.d/services need to be adjusted to do the equivalent for firewalld.
Actually... I see two different target audiences here, firewalld in my POV is for end user pcs, specifically laptops with multiple connections, and SuSEfirewall2 is for server setups, with a maximum of 3 zones... so there's not all that much overlap. Anyway I'll see if I can find time to do at least a rough draft of a wiki page at some point between travelling and work... Guess it's a good thing that I'm teaching this stuff :) cheers MH
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there. It's a wiki, you just need to log in with your opensuse account to be able to edit pages :-)
cu Ludwig
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Dec 2, 2014 at 6:22 AM, Mathias Homann <Mathias.Homann@opensuse.org> wrote:
On 12/02/2014 11:20 AM, Ludwig Nussel wrote:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall. The question is how painful the migration path is. SuSEfirewall2 exists for a long time so there are many people with grown configurations. So the premium migration path would be if /etc/sysconfig/SuSEfirewall2 could be converted automatically, at least to some degree. I guess there is no chance for custom rules
Am 02.12.2014 um 09:49 schrieb Mathias Homann: though. Also, packages that drop stuff in /etc/sysconfig/SuSEfirewall2.d/services need to be adjusted to do the equivalent for firewalld.
Actually... I see two different target audiences here, firewalld in my POV is for end user pcs, specifically laptops with multiple connections, and SuSEfirewall2 is for server setups, with a maximum of 3 zones... so there's not all that much overlap. Anyway I'll see if I can find time to do at least a rough draft of a wiki page at some point between travelling and work... Guess it's a good thing that I'm teaching this stuff :)
SWF2 and firewalld are tools for managing and defining firewall rules. firewalld is no more tailored to end user systems than SFW2 is designed for servers, both tools are used to manage firewall rules, the biggest difference from what I see is firewalld dynamically added rules w/o clearing the existing state, which is certainly a nice feature. Having no experience w/it, other than reading docs, I spun up a centos7 system and have done a quick comparison of a simple rule, sshd, between it and my opensuse 13.1 system. First impressions, firewall-cmd is much faster then 'yast firewall services' at adding/removing services. Not too surprising given one's written in python and the other is a bash script. Biggest issues I see is there is no LOG rules by default. On of the things I really like about SFW2 is it logs all DENY and ACCEPT, rate limited of course, packets destined for the system. IMO this is invaluable when troubleshooting inbound connectivity issues or to simply see if anyone is probing your system. I'll need to play more, but it's going to require a lot of work to port/migrate from SFW2 to firewalld, especially given how intrenched SFW2.
cheers MH
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there. It's a wiki, you just need to log in with your opensuse account to be able to edit pages :-)
cu Ludwig
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, exactly the way I see it, actually. On a server with a permanent internet connection, SFW2 is just right, especially with all the logging options and rate limiting, but for a client computer firewalld is quite nice, seeing how an end user would not really want to read firewall logs (or even be able to), but the end user would perhaps want the flexibility of a networkmanager/firewalld combination. ... I know I do, on my laptop. Cheers MH On 12/02/2014 03:17 PM, Darin Perusich wrote:
For now I*'ve made the service for firewalld conflict with the SuSEfirewall2 services, so that should be fine. As far as a migration path goes, firewalld comes with a way bigger set of predefined services and zones than SuSEfirewall2 so any "migration path" would be quite straightforward, and not that much different from the initial implementation of any firewall. The question is how painful the migration path is. SuSEfirewall2 exists for a long time so there are many people with grown configurations. So the premium migration path would be if /etc/sysconfig/SuSEfirewall2 could be converted automatically, at least to some degree. I guess there is no chance for custom rules
Am 02.12.2014 um 09:49 schrieb Mathias Homann: though. Also, packages that drop stuff in /etc/sysconfig/SuSEfirewall2.d/services need to be adjusted to do the equivalent for firewalld. Actually... I see two different target audiences here, firewalld in my POV is for end user pcs, specifically laptops with multiple connections, and SuSEfirewall2 is for server setups, with a maximum of 3 zones... so
On 12/02/2014 11:20 AM, Ludwig Nussel wrote: there's not all that much overlap. Anyway I'll see if I can find time to do at least a rough draft of a wiki page at some point between travelling and work... Guess it's a good thing that I'm teaching this stuff :) SWF2 and firewalld are tools for managing and defining firewall rules. firewalld is no more tailored to end user systems than SFW2 is designed for servers, both tools are used to manage firewall rules,
On Tue, Dec 2, 2014 at 6:22 AM, Mathias Homann <Mathias.Homann@opensuse.org> wrote: the biggest difference from what I see is firewalld dynamically added rules w/o clearing the existing state, which is certainly a nice feature.
Having no experience w/it, other than reading docs, I spun up a centos7 system and have done a quick comparison of a simple rule, sshd, between it and my opensuse 13.1 system. First impressions, firewall-cmd is much faster then 'yast firewall services' at adding/removing services. Not too surprising given one's written in python and the other is a bash script.
Biggest issues I see is there is no LOG rules by default. On of the things I really like about SFW2 is it logs all DENY and ACCEPT, rate limited of course, packets destined for the system. IMO this is invaluable when troubleshooting inbound connectivity issues or to simply see if anyone is probing your system.
I'll need to play more, but it's going to require a lot of work to port/migrate from SFW2 to firewalld, especially given how intrenched SFW2.
cheers MH
I'll see if I can find some time to write up a readme or such, but I don't think I have editing rights on the wiki, so some else would have to put it there. It's a wiki, you just need to log in with your opensuse account to be able to edit pages :-)
cu Ludwig
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-02 15:49, Mathias Homann wrote:
client computer firewalld is quite nice, seeing how an end user would not really want to read firewall logs (or even be able to),
I certainly want my logs on my laptop. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR91kQACgkQtTMYHG2NR9UAZwCeI5T1oY7FsW/glNH4YtJky3L2 6mgAnAxJYagi+tM+UkSBuLkvym/OnG7b =09DH -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Then you'd stick with SFW2, of course. I think I haven't made myself clear here: I am not promoting firewalld as a *replacement* for SFW2, all I'm saying is that there are use cases for a firewall where firewalld might be more suited than SFW2, so we might want to offer it as an alternative. Cheers MH On 12/02/2014 04:09 PM, Carlos E. R. wrote:
On 2014-12-02 15:49, Mathias Homann wrote:
client computer firewalld is quite nice, seeing how an end user would not really want to read firewall logs (or even be able to),
I certainly want my logs on my laptop.
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-03 08:52, Mathias Homann wrote:
On 12/02/2014 04:09 PM, Carlos E. R. wrote:
I certainly want my logs on my laptop.
Then you'd stick with SFW2, of course.
No, the point is that firewalld must generate logs. For instance, if I connect my lappy on a different (home) network that I don't control, I want to see who/what is trying to connect to my laptop. Or I may want something to connect to me, so I want to see the logs for diagnosing why it does not work. The logs are generated by the kernel, after all, not by the firewall. The firewall just inserts the needed iptables(?) rules that will later create the log entries. There are tools and scripts that watch those logs. So not only the logs are needed, but a change in what they print, the format, also breaks the tools. So either firewald generate compatible logs, or all the scripts and tools, from the distributions or from the users, have to adapt. The impact is large.
I think I haven't made myself clear here:
I am not promoting firewalld as a *replacement* for SFW2, all I'm saying is that there are use cases for a firewall where firewalld might be more suited than SFW2, so we might want to offer it as an alternative.
Well, some people here oppose strongly to having two methods and having to maintain both. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR/EGsACgkQtTMYHG2NR9UHSQCfdxqHMRAaGsMlv3Th+KsM6Y2n 1k0AniaUTBigUbm1ll+HQ4hr7/1pk8JR =daEL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/03/2014 08:30 AM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2014-12-03 08:52, Mathias Homann wrote:
On 12/02/2014 04:09 PM, Carlos E. R. wrote:
I certainly want my logs on my laptop.
Then you'd stick with SFW2, of course.
No, the point is that firewalld must generate logs.
For instance, if I connect my lappy on a different (home) network that I don't control, I want to see who/what is trying to connect to my laptop. Or I may want something to connect to me, so I want to see the logs for diagnosing why it does not work.
The logs are generated by the kernel, after all, not by the firewall. The firewall just inserts the needed iptables(?) rules that will later create the log entries.
There are tools and scripts that watch those logs. So not only the logs are needed, but a change in what they print, the format, also breaks the tools. So either firewald generate compatible logs, or all the scripts and tools, from the distributions or from the users, have to adapt.
The impact is large.
I think I haven't made myself clear here:
I am not promoting firewalld as a *replacement* for SFW2, all I'm saying is that there are use cases for a firewall where firewalld might be more suited than SFW2, so we might want to offer it as an alternative.
Well, some people here oppose strongly to having two methods and having to maintain both.
- -- Cheers / Saludos,
Carlos E. R.
As discussed earlier in this thread. I like the idea of importing with ruby - the "best of" from firewalld into a newer module version of the Yast Firewall. Cheers! Roman ----------------------------------- openSUSE Open Minds Open Sources Open Future ----------------------------------- http://linuxcounter.net/ #179293 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-12-03 23:14, Roman Bysh wrote:
On 12/03/2014 08:30 AM, Carlos E. R. wrote:
As discussed earlier in this thread. I like the idea of importing with ruby - the "best of" from firewalld into a newer module version of the Yast Firewall.
That would be very nice. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlR/vusACgkQtTMYHG2NR9XsDwCgitZIkGkCBvR5h/WoK7LWY0M0 AlsAn1CeHsv5rAxuSY6Yd+xafIGG9n9J =z83q -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/04/2014 02:54 AM, Carlos E. R. wrote:
On 2014-12-03 23:14, Roman Bysh wrote:
On 12/03/2014 08:30 AM, Carlos E. R. wrote:
As discussed earlier in this thread. I like the idea of importing with ruby - the "best of" from firewalld into a newer module version of the Yast Firewall.
That would be very nice.
...but not what my original idea was. Of course SFW2 can be re-written / improved, but my original proposal was to include firewalld as it is, as an alternative to SFW2, for very specific use cases where a root-managed firewall that is statically configured from within yast is "just not quite right". At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used... Cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 04 December 2014 08:51:06 Mathias Homann wrote:
Of course SFW2 can be re-written / improved, but my original proposal was to include firewalld as it is, as an alternative to SFW2, for very specific use cases where a root-managed firewall that is statically configured from within yast is "just not quite right". I have been following this discussion thread and I must say that I have been surprised from some of the reactions.
Given that Firewalld is very well integrated with NetworkManager, I believe that it definitely deserves a place in the openSUSE distribution. Seeing that we already have a couple of alternatives (e.g. Shorewall, ufw) in the distribution files itself, I do not see any reason why not to accept this package as well. Especially since it is the first one that is integrated with NetworkManager and all its applets. As the author has been indicating, this was his initial plan and somehow it turned out to be a discussion whether or not to replace SFW2.
At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used...
I have installed the packages from the indicated repository and I have started to use it. So far, so good. NetworkManager recognizes firewalld and allows me now to define the firewall zone per defined connection. Regards Raymond -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/04/2014 11:30 AM, Raymond Wooninck wrote:
On Thursday 04 December 2014 08:51:06 Mathias Homann wrote:
Of course SFW2 can be re-written / improved, but my original proposal was to include firewalld as it is, as an alternative to SFW2, for very specific use cases where a root-managed firewall that is statically configured from within yast is "just not quite right". I have been following this discussion thread and I must say that I have been surprised from some of the reactions.
Given that Firewalld is very well integrated with NetworkManager, I believe that it definitely deserves a place in the openSUSE distribution. Seeing that we already have a couple of alternatives (e.g. Shorewall, ufw) in the distribution files itself, I do not see any reason why not to accept this package as well. Especially since it is the first one that is integrated with NetworkManager and all its applets.
As the author has been indicating, this was his initial plan and somehow it turned out to be a discussion whether or not to replace SFW2.
At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used... I have installed the packages from the indicated repository and I have started to use it. So far, so good. NetworkManager recognizes firewalld and allows me now to define the firewall zone per defined connection.
...which is exactly why I started this. I'll be investigating how to write a rudimentary yast module (which will only tell the user "The firewall on this system is managed by firewalld", and give them a button to launch firewall-config), but I strongly believe that firewalld and the idea of configuring it from inside a central tool that is used only by root really don't go together... cheers, MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards Raymond -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, the latest version of the package installs a policykit ruleset that requires no password for readinf firewallsettings, and the user password for changes, and the credentials are saved for some time. Cheers MH Am Freitag 05 Dezember 2014, 08:46:43 schrieb Raymond Wooninck:
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards
Raymond
-- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/05/2014 04:05 AM, Mathias Homann wrote:
Hi,
the latest version of the package installs a policykit ruleset that requires no password for readinf firewallsettings, and the user password for changes, and the credentials are saved for some time.
Cheers MH
Am Freitag 05 Dezember 2014, 08:46:43 schrieb Raymond Wooninck:
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards
Raymond
Which repository are you downloading and installing firewalld? I deleted the Yast Firewall and then installed firewalld from this repo: http://download.opensuse.org/repositories/home:/lemmy04:/firewalld/openSUSE_... I was unable to launch the /usr/bin/firewall-config Kept getting an error on line 15. -- Cheers! Roman ----------------------------------- openSUSE Open Minds Open Sources Open Future ----------------------------------- http://linuxcounter.net/ #179293 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Freitag, 5. Dezember 2014, 18:57:59 schrieb Roman Bysh:
On 12/05/2014 04:05 AM, Mathias Homann wrote:
Hi,
the latest version of the package installs a policykit ruleset that requires no password for readinf firewallsettings, and the user password for changes, and the credentials are saved for some time.
Cheers MH
Am Freitag 05 Dezember 2014, 08:46:43 schrieb Raymond Wooninck:
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
At this point I would ask you guys to actually look at firewalld and try it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards
Raymond
Which repository are you downloading and installing firewalld?
I deleted the Yast Firewall and then installed firewalld from this repo: http://download.opensuse.org/repositories/home:/lemmy04:/firewalld/openSUSE_ 13.2
I was unable to launch the /usr/bin/firewall-config
Kept getting an error on line 15.
Maybe you need the package typelib-1_0-NetworkManager-1_0. Herbert -- “Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.” Albert Einstein -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Samstag, 6. Dezember 2014, 10:58:46 schrieb Herbert Graeber:
Am Freitag, 5. Dezember 2014, 18:57:59 schrieb Roman Bysh:
On 12/05/2014 04:05 AM, Mathias Homann wrote:
Hi,
the latest version of the package installs a policykit ruleset that requires no password for readinf firewallsettings, and the user password for changes, and the credentials are saved for some time.
Cheers MH
Am Freitag 05 Dezember 2014, 08:46:43 schrieb Raymond Wooninck:
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
> At this point I would ask you guys to actually look at firewalld and > try > it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards
Raymond
Which repository are you downloading and installing firewalld?
I deleted the Yast Firewall and then installed firewalld from this repo: http://download.opensuse.org/repositories/home:/lemmy04:/firewalld/openSUS E_ 13.2
I was unable to launch the /usr/bin/firewall-config
Kept getting an error on line 15.
Maybe you need the package typelib-1_0-NetworkManager-1_0.
Pass me the actual error message, and I'll see that I add the dependency to the package. Cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/06/2014 06:06 AM, Mathias Homann wrote:
Am Samstag, 6. Dezember 2014, 10:58:46 schrieb Herbert Graeber:
Am Freitag, 5. Dezember 2014, 18:57:59 schrieb Roman Bysh:
On 12/05/2014 04:05 AM, Mathias Homann wrote:
Hi,
the latest version of the package installs a policykit ruleset that requires no password for readinf firewallsettings, and the user password for changes, and the credentials are saved for some time.
Cheers MH
Am Freitag 05 Dezember 2014, 08:46:43 schrieb Raymond Wooninck:
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
>> At this point I would ask you guys to actually look at firewalld and >> try >> it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards
Raymond
Which repository are you downloading and installing firewalld?
I deleted the Yast Firewall and then installed firewalld from this repo: http://download.opensuse.org/repositories/home:/lemmy04:/firewalld/openSUS E_ 13.2
I was unable to launch the /usr/bin/firewall-config
Kept getting an error on line 15.
Maybe you need the package typelib-1_0-NetworkManager-1_0.
Pass me the actual error message, and I'll see that I add the dependency to the package.
Cheers MH
Follow Up Correction error on line 34 ;-) Here's the message: <--- snip ---------------------------------------------------------------------- /usr/bin/firewall-config Traceback (most recent call last): File "/usr/bin/firewall-config", line 34, in <module> from gi.repository import NetworkManager ImportError: cannot import name NetworkManager <--- snip ---------------------------------------------------------------------- Line 34 is: from gi.repository import NetworkManager Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 2014-12-06 at 12:06 +0100, Mathias Homann wrote:
Maybe you need the package typelib-1_0-NetworkManager-1_0.
Pass me the actual error message, and I'll see that I add the dependency to the package.
Usually, you should not ever have to add typelib-1_0-* Requires to the package; but you might want to add gobject-introspection as a BuildRequires; then you get the code parser finding the dependencies and adding them for you. Dominique -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/06/2014 04:58 AM, Herbert Graeber wrote:
Am Freitag, 5. Dezember 2014, 18:57:59 schrieb Roman Bysh:
On 12/05/2014 04:05 AM, Mathias Homann wrote:
Hi,
the latest version of the package installs a policykit ruleset that requires no password for readinf firewallsettings, and the user password for changes, and the credentials are saved for some time.
Cheers MH
Am Freitag 05 Dezember 2014, 08:46:43 schrieb Raymond Wooninck:
On Thursday 04 December 2014 12:11:10 Mathias Homann wrote:
> At this point I would ask you guys to actually look at firewalld and > try > it and see how it works and how it is configured/used...
As indicated I am running firewalld (as you packaged it), but every change seems to require the root password. I would have expected that the firewall daemon would do its work in the background and that only configuration changes would require the root password. But as soon as a connection becomes active or inactive, I am being asked for the root password as that the daemon needs to change the firewall zone. I doubt if it was really designed like this or that it is due to your patch to the permissions.
Regards
Raymond
Which repository are you downloading and installing firewalld?
I deleted the Yast Firewall and then installed firewalld from this repo: http://download.opensuse.org/repositories/home:/lemmy04:/firewalld/openSUSE_ 13.2
I was unable to launch the /usr/bin/firewall-config
Kept getting an error on line 15.
Maybe you need the package typelib-1_0-NetworkManager-1_0.
Herbert
That's the missing file! I restarted as root firewall-config, I'm getting this message after installing the missing package. /usr/bin/firewall-config /usr/bin/firewall-config:73: Warning: The property GtkButton:use-stock is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkSettings:gtk-button-images is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkAlignment:left-padding is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkButton:xalign is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkTreeView:rules-hint is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkImage:stock is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkSettings:gtk-menu-images is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkImageMenuItem:image is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkToolButton:stock-id is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkMisc:xpad is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkAlignment:right-padding is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkMisc:ypad is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkAlignment:top-padding is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) /usr/bin/firewall-config:73: Warning: The property GtkButton:yalign is deprecated and shouldn't be used anymore. It will be removed in a future version. builder.add_from_file("%s/%s" % (datadir, CONFIG_GLADE_NAME)) I then rebooted my desktop. The "firewalld" daemon had to be manually enabled in the Yast Services Manager. Rather than using "external" I see "public" enabled by default. I'm not sure what the difference is between the two. Ill have to read the documentation. I still believe the Yast Firewall is much slicker and easier to use - especially for the newbie. It has almost no documentation. Can the devs bring the best of and integrate it into the Yast Firewall? Any thoughts? Cheers! Roman ----------------------------------- openSUSE Open Minds Open Sources Open Future ----------------------------------- http://linuxcounter.net/ #179293 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Samstag, 6. Dezember 2014, 20:59:30 schrieb Roman Bysh:
Rather than using "external" I see "public" enabled by default. I'm not sure what the difference is between the two. Ill have to read the documentation.
In both of those zones by default only port 22/tcp is allowed inbound, but on "external" outgoing ipv4 is masqueraded, on public it isn't. Cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 12/07/2014 03:40 AM, Mathias Homann wrote:
Am Samstag, 6. Dezember 2014, 20:59:30 schrieb Roman Bysh:
Rather than using "external" I see "public" enabled by default. I'm not sure what the difference is between the two. Ill have to read the documentation.
In both of those zones by default only port 22/tcp is allowed inbound, but on "external" outgoing ipv4 is masqueraded, on public it isn't.
Cheers MH
Masquerade is good. Yes. Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 03.12.2014 um 08:52 schrieb Mathias Homann:
Then you'd stick with SFW2, of course.
I think I haven't made myself clear here:
I am not promoting firewalld as a *replacement* for SFW2, all I'm saying is that there are use cases for a firewall where firewalld might be more suited than SFW2, so we might want to offer it as an alternative.
We had and have enough fun with alternative network manangement and init systems already. No need to extend that to firewalls :-) So I'd prefer one solution properly integrated rather than two half-baked ones. Let's collect a list of differences/missing features to have proper facts to evaluate whether firewalld can replace SFW2 resp which effort is needed to achieve that. The hint with the logging is already a very good one. Do we have a wiki page for firewalld yet? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5; 90409 Nürnberg; Germany -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Dec 3, 2014, at 06:51 AM, Ludwig Nussel wrote:
We had and have enough fun with alternative network manangement and init systems already. No need to extend that to firewalls :-) So I'd prefer one solution properly integrated rather than two half-baked ones.
Let's collect a list of differences/missing features to have proper facts to evaluate whether firewalld can replace SFW2 resp which effort is needed to achieve that. The hint with the logging is already a very good one. Do we have a wiki page for firewalld yet?
'Fun' isn't the 1st word that comes to mind ... But your point's certainly well made. Feature request #1 from us: zero hard dependencies, especially when considering "proper integration" (whatever that ends up being). Our need is to *cleanly* rip-out / disable whatever's native -- SF2 or firewalld -- and implement a different solution. For us, currently, that's Shorewall. Its capabilities, and especially its best-in-class / extensive documentation, are unmatched by either of the 2 solutions being discussed here. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi all, This is an interesting topic, and I have some time, so I wouln't mind picking this up and seeing where we can take it. Firewalld looks to have some merit, and while I've not yet used it extensively, it does offer some nice features: similar to SF2 it's based on zones, clean interface, large list of supported services, d-bus interface, etc. I tried firewalld with Wicked instead of NM, and while configuration must be done by manually inputting interface names, I suspect we could get some communication happening between the two over d-bus as well. Perhaps we could also build some support for configuration via ifcfg- files in the future. Just some thoughts. After going through this thread, I find the idea of peaceful coexistence (especially at the beginning) quite agreeable. As proposed, I think a similar approach to Wicked/NM selection could be built into the yast2-firewall, and if firewalld is selected, a decent place to start would be to have YaST2 run the firewalld GUI. This would hopefully get more folks trying firewalld and evaluating it's usability as an alternative or a replacement, or whatever we decide. Later on, we could look at the effort involved in things like converting /etc/sysconfig/SuSEfirewall2 and others into firewalld parsable forms. For now, both packages could exist on the system together, with only one enabled and running at a given time. I'm not a YaST developer, but it might be fun to give it a go :) I think some great ideas came out of this thread, so let's keep the channel open. If anyone has any feedback, more ideas, concerns, please share them. Best regards, Karol
On Tue, 27 Jan 2015 02:07, Karol Mroz wrote:
This is an interesting topic, and I have some time, so I wouln't mind picking this up and seeing where we can take it.
Firewalld looks to have some merit, and while I've not yet used it extensively, it does offer some nice features: similar to SF2 it's based on zones, clean interface, large list of supported services, d-bus interface, etc. I tried firewalld with Wicked instead of NM, and while configuration must be done by manually inputting interface names, I suspect we could get some communication happening between the two over d-bus as well. Perhaps we could also build some support for configuration via ifcfg- files in the future. Just some thoughts.
After going through this thread, I find the idea of peaceful coexistence (especially at the beginning) quite agreeable. As proposed, I think a similar approach to Wicked/NM selection could be built into the yast2-firewall, and if firewalld is selected, a decent place to start would be to have YaST2 run the firewalld GUI. This would hopefully get more folks trying firewalld and evaluating it's usability as an alternative or a replacement, or whatever we decide. Later on, we could look at the effort involved in things like converting /etc/sysconfig/SuSEfirewall2 and others into firewalld parsable forms. For now, both packages could exist on the system together, with only one enabled and running at a given time. I'm not a YaST developer, but it might be fun to give it a go :)
I think some great ideas came out of this thread, so let's keep the channel open. If anyone has any feedback, more ideas, concerns, please share them.
A few thing to note upon: - GUI is GTK only, Yast GTK UI port is the way of the dodo, only qt GUI works. - no ncurses interface. - for full integration into Yast, the firewalld cli would have to be used. - migration from personal iptables-rules is not automatic. Info : http://www.firewalld.org/documentation/ https://fedoraproject.org/wiki/FirewallD I'm not against, but the missing migration is raising my hackles. That is a point to get working, after that the resistance against a change as default firewall should be much less. For a fresh desktop install, which no config transfer from a old system, sure, it is a possiblity to use it now. For a server with no GUI? no good atm. Trying to convert your special iptables rules to firewalld? Well, starting anew is faster, no help for converting. Better to know what is waiting ahead than running blind into it. Could we get it into shape for SLE13? -- Possible, sure. Ready for OSS.next? -- very unsure, but lets start. - Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (17)
-
Bruno Friedmann -
Carlos E. R. -
Carlos E. R. -
Darin Perusich -
Dimstar / Dominique Leuenberger -
grantksupport@operamail.com -
Herbert Graeber -
James Knott -
Karol Mroz -
Ludwig Nussel -
Lukas Ocilka -
Marcus Meissner -
Mathias Homann -
Raymond Wooninck -
Roman Bysh -
Stephan Kulow -
Yamaban