[opensuse-factory] communication regarding the move to firewalld
Information appears informally regarding the move: suggestions of susefirewall 'stopping working correctly' talk of firewalld implementation not being complete. yast control now tied to firewalld even though susefirewall still being in use. For those of us who are not experts, the information is confusing. There are many threads on the forums expressing confusion, rather than explanation and facts. i think the move to firewalld should be announced and communicated, with guidance on timing and setup where possible. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
nicholas cunliffe wrote:
Information appears informally regarding the move: suggestions of susefirewall 'stopping working correctly' talk of firewalld implementation not being complete. yast control now tied to firewalld even though susefirewall still being in use. For those of us who are not experts, the information is confusing. There are many threads on the forums expressing confusion, rather than explanation and facts.
i think the move to firewalld should be announced and communicated, with guidance on timing and setup where possible.
Absolutely. I just installed the package on my TW laptop, to have a look at things. So far I'm not too impressed I have to say. SuSEfirewall2 had a nice text file with all the configuration options and hints for various things like masquerading, port forwarding etc., which I use a lot on our server. On quick look I couldn't find something similar for firewalld. Instead a lot of xml files :(( So I had a look at the conversion script, susefirewall2-to-firewalld. It suggested running it (dry-run), to see what happens. It claimed it would only stop and restart SFW2. It did (of course) also stop fail2ban, but did not restart it afterwards... I also noticed that using firewalld had caused the load of >30 new kernel modules... At least fail2ban seems to support firewalld, too. But I do fear this change will cause quite some work :o -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
31.01.2018 13:21, Peter Suetterlin пишет:
On quick look I couldn't find something similar for firewalld. Instead a lot of xml files :(( So I had a look at the conversion script, susefirewall2-to-firewalld.
It suggested running it (dry-run), to see what happens. It claimed it would only stop and restart SFW2. It did (of course) also stop fail2ban, but did not restart it afterwards...
I do not think it is something script does intentionally or that script even knows about fail2ban service at all. fail2ban service is configured to be PartOf SuSEfirewall2 service. So when script stopped SFW2 it caused fail2ban to be also stopped. But PartOf only applies to stopping, so starting SFW2 did not pull fail2ban. Check what script does. May be it could use restart instead of stop/start; restart should also restart all dependent units that are PartOf unit being restarted. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Andrei Borzenkov wrote:
31.01.2018 13:21, Peter Suetterlin пишет:
On quick look I couldn't find something similar for firewalld. Instead a lot of xml files :(( So I had a look at the conversion script, susefirewall2-to-firewalld.
It suggested running it (dry-run), to see what happens. It claimed it would only stop and restart SFW2. It did (of course) also stop fail2ban, but did not restart it afterwards...
I do not think it is something script does intentionally or that script even knows about fail2ban service at all. fail2ban service is configured to be PartOf SuSEfirewall2 service. So when script stopped SFW2 it caused fail2ban to be also stopped. But PartOf only applies to stopping, so starting SFW2 did not pull fail2ban.
You're of course right! And I mostly wrote it to make other readers aware of that. Best solution (IMHO) would be just to mention this also in the start-up info of the script, that dependent services like f2b might need manual restart
Check what script does. May be it could use restart instead of stop/start; restart should also restart all dependent units that are PartOf unit being restarted.
Shame on me - I wasn't even aware of that difference :o -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
I'm not sure if this should be reported as a bug, or if there is a fix in place or if it is even necessary, but with all of my Tumbleweed upgrades, the Firewalld module was added in Yast but the Firewalld service was not active/ enabled and the SuSEFirewall2 was still active/enabled. Not a big deal for a user to make the fix, so long as they are informed. I added a Troubleshoot section to the wiki concerning this issue.
Maybe I missed it in the whole thread, but is there a migration path from SFW2 to firewalld? Or how does one get all the settings fromhere to there? Thanks Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Axel Braun -
nicholas cunliffe -
Peter Suetterlin