[opensuse-factory] the new package, firewalld
I see discussion of a new package, firewalld, and wonder about the statis and intension. Is firewalld to replace SuSEfirewall2, and how is it better or more fitting. tks, -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2016-03-04 14:38, Patrick Shanahan wrote:
I see discussion of a new package, firewalld, and wonder about the statis and intension. Is firewalld to replace SuSEfirewall2, and how is it better or more fitting.
Just because xfce4-terminal was once added does not mean it replaced xterm. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Freitag, 4. März 2016, 08:38:39 schrieb Patrick Shanahan:
I see discussion of a new package, firewalld, and wonder about the statis and intension. Is firewalld to replace SuSEfirewall2, and how is it better or more fitting.
tks,
Firewalld is *not a replacement for SuSEfirewall2*. But it is (in my opinion) the better option on any setup that uses NetworkManager (laptops etc), because of the integration between the two. Cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On vendredi, 4 mars 2016 15.16:56 h CET Mathias Homann wrote:
Am Freitag, 4. März 2016, 08:38:39 schrieb Patrick Shanahan:
I see discussion of a new package, firewalld, and wonder about the statis and intension. Is firewalld to replace SuSEfirewall2, and how is it better or more fitting.
tks,
Firewalld is *not a replacement for SuSEfirewall2*.
But it is (in my opinion) the better option on any setup that uses NetworkManager (laptops etc), because of the integration between the two.
Cheers MH
I was thinking about a tight integration between systemd-networkd and firewalld But if it's compatible with networkmanager that's a bonus ;-) -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 2016-03-04 at 15:42 +0100, Bruno Friedmann wrote:
I was thinking about a tight integration between systemd-networkd and firewalld But if it's compatible with networkmanager that's a bonus ;-)
It would be, but currently our NM packages are a) not built with firewalld support (as firewalld only just appeared in TW) b) patched to disable the UI to configure the firewall (as users were confused, as we did not have firewalld) It will certainly be a good moment to re-visit NM and verify if integration can be achieved now AND we have to know the side-effects this could have on a user potentially still having SFW2 enabled. At this moment, NM does not do run-time detection of firewalld. Cheers, Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am Freitag, 4. März 2016, 15:50:07 schrieb Dominique Leuenberger / DimStar:
On Fri, 2016-03-04 at 15:42 +0100, Bruno Friedmann wrote:
I was thinking about a tight integration between systemd-networkd and firewalld But if it's compatible with networkmanager that's a bonus ;-)
It would be, but currently our NM packages are a) not built with firewalld support (as firewalld only just appeared in TW) b) patched to disable the UI to configure the firewall (as users were confused, as we did not have firewalld)
It will certainly be a good moment to re-visit NM and verify if integration can be achieved now AND we have to know the side-effects this could have on a user potentially still having SFW2 enabled. At this moment, NM does not do run-time detection of firewalld.
Cheers, Dominique
... on 13.2 I'm using firewalld and NetworkManager on my laptop and it works fine. As for SFW2, how about we'll set up dependencies and conflicts in the packages? Wicked would require SuSEfirewall2, wicked would conflict with NM, NM would requires firewalld and firewalld would conflict with SFW2... That way (if I'm not totally off here) it should work fine either way. Cheers MH -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/04/2016 03:15 PM, Mathias Homann wrote:
Am Freitag, 4. März 2016, 15:50:07 schrieb Dominique Leuenberger / DimStar:
On Fri, 2016-03-04 at 15:42 +0100, Bruno Friedmann wrote:
I was thinking about a tight integration between systemd-networkd and firewalld But if it's compatible with networkmanager that's a bonus ;-)
It would be, but currently our NM packages are a) not built with firewalld support (as firewalld only just appeared in TW) b) patched to disable the UI to configure the firewall (as users were confused, as we did not have firewalld)
It will certainly be a good moment to re-visit NM and verify if integration can be achieved now AND we have to know the side-effects this could have on a user potentially still having SFW2 enabled. At this moment, NM does not do run-time detection of firewalld.
Cheers, Dominique
... on 13.2 I'm using firewalld and NetworkManager on my laptop and it works fine.
As for SFW2, how about we'll set up dependencies and conflicts in the packages?
Wicked would require SuSEfirewall2, wicked would conflict with NM, NM would requires firewalld and firewalld would conflict with SFW2... That way (if I'm not totally off here) it should work fine either way.
Cheers MH
I am not sure if having SF2 conflict with firewalld is a good idea. I believe it would be useful to be able to have both installed since firewalld is quite new so you may want to experiment with it without having to remove SF2. OTOH the SF2 and firewalld systemd services conflict with each other so you can have both installed and systemd will make sure that only one of them is running. -- markos -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2016-03-04 16:23, Markos Chandras wrote:
As for SFW2, how about we'll set up dependencies and conflicts in the packages?
Wicked would require SuSEfirewall2, wicked would conflict with NM, NM would requires firewalld and firewalld would conflict with SFW2... That way (if I'm not totally off here) it should work fine either way.
I am not sure if having SF2 conflict with firewalld is a good idea. I believe it would be useful to be able to have both installed since firewalld is quite new so you may want to experiment with it without having to remove SF2. OTOH the SF2 and firewalld systemd services conflict with each other
Indeed; you want service file conflicts here, not RPM-level conflicts (unless the packages have some same-name file) Just like it is with wicked and systemd-networkd. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, 2016-03-04 at 16:15 +0100, Mathias Homann wrote:
... on 13.2 I'm using firewalld and NetworkManager on my laptop and it works fine.
I should have been more explicit: NetworkManager-gnome (the UI frontend) has been patched to not offer the FW integration pieces in the UI. NM together with firewalld will work just fine, but getting rid of the patch will actually mean that NM can CONTROL firewalld, including putting different Firewall rules on different configured networks. So you can for example set your home wifi as more trusted than an airport wifi, disable the FW rules at home but shield off completely at the airport. Up to you to decide what you want to do in the office: do you trust your co-workers? (hint: most corporate attachs are registered from inside the network)
As for SFW2, how about we'll set up dependencies and conflicts in the packages?
A bit harsh to not even allow to parallel install them. The should conflict at runtime, I agree, but installing them in parallel should be fine, so that one can switch between one and another.
Wicked would require SuSEfirewall2, wicked would conflict with NM, NM would requires firewalld and firewalld would conflict with SFW2... That way (if I'm not totally off here) it should work fine either way.
Same as above: using yast it is very convenient to switch between NM or wicked. Disallowing parallel install means you can't 'toggle' them if you don't have a network connection and can't get to the repo for getting 'the other implementation' (or any other package source) Most of the time we see people switch when 'one does not work' (whichever, it's usually the first step in debugging) This topic will need some more work / thoughts, but I'm sure we're on the right path. Also keep in mind that a rule-conversion script has already been announced, that will bring your SWF2 rules over to firewalld. Cheers, Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On vendredi, 4 mars 2016 16.27:31 h CET Dominique Leuenberger / DimStar wrote:
On Fri, 2016-03-04 at 16:15 +0100, Mathias Homann wrote:
... on 13.2 I'm using firewalld and NetworkManager on my laptop and it works fine.
I should have been more explicit: NetworkManager-gnome (the UI frontend) has been patched to not offer the FW integration pieces in the UI.
NM together with firewalld will work just fine, but getting rid of the patch will actually mean that NM can CONTROL firewalld, including putting different Firewall rules on different configured networks. So you can for example set your home wifi as more trusted than an airport wifi, disable the FW rules at home but shield off completely at the airport. Up to you to decide what you want to do in the office: do you trust your co-workers? (hint: most corporate attachs are registered from inside the network)
As for SFW2, how about we'll set up dependencies and conflicts in the packages?
A bit harsh to not even allow to parallel install them. The should conflict at runtime, I agree, but installing them in parallel should be fine, so that one can switch between one and another.
Wicked would require SuSEfirewall2, wicked would conflict with NM, NM would requires firewalld and firewalld would conflict with SFW2... That way (if I'm not totally off here) it should work fine either way.
Same as above: using yast it is very convenient to switch between NM or wicked. Disallowing parallel install means you can't 'toggle' them if you don't have a network connection and can't get to the repo for getting 'the other implementation' (or any other package source)
Most of the time we see people switch when 'one does not work' (whichever, it's usually the first step in debugging)
This topic will need some more work / thoughts, but I'm sure we're on the right path.
Also keep in mind that a rule-conversion script has already been announced, that will bring your SWF2 rules over to firewalld.
Cheers, Dominique
Actually there's already a bug in Yast2 if you opened network it insist to have SuSEFirewall2 Dude I don't need it, I'm using Shorewall :-) We don't have to force a binary choice to end users. Only on recommend level would be correct -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member, fsfe fellowship GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/04/2016 08:38 AM, Patrick Shanahan wrote:
I see discussion of a new package, firewalld, and wonder about the statis and intension. Is firewalld to replace SuSEfirewall2, and how is it better or more fitting.
Hopefully, it'll have better IPv6 support than SuSEfirewall2. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
Bruno Friedmann -
Dominique Leuenberger / DimStar -
James Knott -
Jan Engelhardt -
Markos Chandras -
Mathias Homann -
Patrick Shanahan