[opensuse-project] firewalld as alternative for SuSEfirewall2?
Hi, Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2? I think we should... reasoning: mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones. I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2. Progress report will follow in due time. cheers MH -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is? -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Mon, 24 Nov 2014 11:55:28 -0800, Roger Luedecke wrote:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
The issue is if you change wireless networks and connect to a combination of trusted and untrusted networks (for example: Trusted = home/work, untrusted = public wifi at the airport), you might want to have different zones/firewall settings depending on which wireless network you connect to. I don't think our current FW implementation supports that kind of configuration. Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Am Montag, 24. November 2014, 20:05:20 schrieb Jim Henderson:
On Mon, 24 Nov 2014 11:55:28 -0800, Roger Luedecke wrote:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
The issue is if you change wireless networks and connect to a combination of trusted and untrusted networks (for example: Trusted = home/work, untrusted = public wifi at the airport), you might want to have different zones/firewall settings depending on which wireless network you connect to.
Exactly my point.
I don't think our current FW implementation supports that kind of configuration.
It doesn't. Which is why SCPM was A Good Thing, but now with grub2 and systemd SCPM is pretty much useless, and there's no maintainer to carry it forward, either. Mind, for a server the SuSEFirewall2 scripts are just great. I think the way to do it should be similar to what redhat/fedora does, and provide both SuSEfirewall2 (for servers, and desktops with static connections) and firewalld for laptops / network manager based setups. Then, the user can just choose which of the two to use. Cheers MH -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On 2014-11-24 21:17, Mathias Homann wrote:
I don't think our current FW implementation supports that kind of configuration.
It doesn't. Which is why SCPM was A Good Thing, but now with grub2 and systemd SCPM is pretty much useless, and there's no maintainer to carry it forward, either.
I was going to tell you that it did: ie, SCPM did. There even was a YaST module for it. Last time I was able to use it was in 11.4. And it could do way more than just changing the firewall, like changing the entire postfix configuration. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Mon, 2014-11-24 at 21:30 +0100, Carlos E. R. wrote:
On 2014-11-24 21:17, Mathias Homann wrote:
I don't think our current FW implementation supports that kind of configuration.
It doesn't. Which is why SCPM was A Good Thing, but now with grub2 and systemd SCPM is pretty much useless, and there's no maintainer to carry it forward, either.
I was going to tell you that it did: ie, SCPM did. There even was a YaST module for it. Last time I was able to use it was in 11.4. And it could do way more than just changing the firewall, like changing the entire postfix configuration.
Has that module fallen into disrepair? I personally prefer YaST ways if they are available since they are uniquely openSUSE. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On 2014-11-24 22:17, Roger Luedecke wrote:
On Mon, 2014-11-24 at 21:30 +0100, Carlos E. R. wrote:
Has that module fallen into disrepair? I personally prefer YaST ways if they are available since they are uniquely openSUSE.
AFAIR, it doesn't even exist now. I tried SCPM in 12.3, when I upgraded from 11.4, and it failed. I did not investigate more, but I was forced to switch from ifup to network manager plus some scripts and config changes so that postfix/dovecot could cope. Meaning, that I probably can not upgrade to 13.2 till somebody finds how to attach scripts to wicked. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Am Montag, 24. November 2014, 11:55:28 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
Then please explain to me how to do this: I want to use NetworkManager (or wicked). I want to have one WiFi definition for my Wifi at home. I want to have the wireless interface to be in the internal network when that configuration is active. I also want to have another WiFi definition called "Work", and when that one is active I want the WiFi to be in the work zone. I also want to have any further WiFi definitions that might crop up occasionally (airport, starbucks, you name it) to be in the "public" zone by default. Frankly, I want the "Zone" field in network manager to be useful. With SuSEFirewall2 it isn't. Cheers MH -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Mon, 2014-11-24 at 21:07 +0100, Mathias Homann wrote:
Am Montag, 24. November 2014, 11:55:28 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
Then please explain to me how to do this:
I want to use NetworkManager (or wicked). I want to have one WiFi definition for my Wifi at home. I want to have the wireless interface to be in the internal network when that configuration is active. I also want to have another WiFi definition called "Work", and when that one is active I want the WiFi to be in the work zone. I also want to have any further WiFi definitions that might crop up occasionally (airport, starbucks, you name it) to be in the "public" zone by default.
Frankly, I want the "Zone" field in network manager to be useful. With SuSEFirewall2 it isn't.
Cheers MH
I couldn't since I failed to see what the problem with our current firewall was. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Am Montag, 24. November 2014, 13:19:14 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 21:07 +0100, Mathias Homann wrote:
Am Montag, 24. November 2014, 11:55:28 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
Then please explain to me how to do this:
I want to use NetworkManager (or wicked). I want to have one WiFi definition for my Wifi at home. I want to have the wireless interface to be in the internal network when that configuration is active. I also want to have another WiFi definition called "Work", and when that one is active I want the WiFi to be in the work zone. I also want to have any further WiFi definitions that might crop up occasionally (airport, starbucks, you name it) to be in the "public" zone by default.
Frankly, I want the "Zone" field in network manager to be useful. With SuSEFirewall2 it isn't.
Cheers MH
I couldn't since I failed to see what the problem with our current firewall was.
The problem is that SuSEFirewall2 can't have the same interface in different zones depending on which wireless you connect to. The problem also is that SCPM is not working with systemd, so it can't be used to switch configurations on boot based on which WiFi you're *going* to connect to. Did I make myself clear? Cheers MH -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Hi, why don't we "simply" fix SuSEFirewall2 to support that feature? Is it difficult to do? Bye hawake -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On 2014-11-24 22:50, Mathias Homann wrote:
The problem is that SuSEFirewall2 can't have the same interface in different zones depending on which wireless you connect to. The problem also is that SCPM is not working with systemd, so it can't be used to switch configurations on boot based on which WiFi you're *going* to connect to.
If it is only the firewall, you can keep different firewall configs in a directory, and switch them with a script. I could code something if I wanted to, as long as it is only just a limited, known, and small number of files to keep track of. Let me see... keep a backup of the files you want under a directory per profile, perhaps under /root, and another file listing the current profile name (and list of files). When going to switch to a different profile, rsync (or unison) the active files to the previous profile backup, then copy the new profile files from backup to active place, then restart the affected services. Perhaps stop them before switching some files. Doable for a limited number of files, complicated for a generic case, like scpm did. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On Mon, 2014-11-24 at 22:50 +0100, Mathias Homann wrote:
Am Montag, 24. November 2014, 13:19:14 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 21:07 +0100, Mathias Homann wrote:
Am Montag, 24. November 2014, 11:55:28 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
Then please explain to me how to do this:
I want to use NetworkManager (or wicked). I want to have one WiFi definition for my Wifi at home. I want to have the wireless interface to be in the internal network when that configuration is active. I also want to have another WiFi definition called "Work", and when that one is active I want the WiFi to be in the work zone. I also want to have any further WiFi definitions that might crop up occasionally (airport, starbucks, you name it) to be in the "public" zone by default.
Frankly, I want the "Zone" field in network manager to be useful. With SuSEFirewall2 it isn't.
Cheers MH
I couldn't since I failed to see what the problem with our current firewall was.
The problem is that SuSEFirewall2 can't have the same interface in different zones depending on which wireless you connect to. The problem also is that SCPM is not working with systemd, so it can't be used to switch configurations on boot based on which WiFi you're *going* to connect to.
Did I make myself clear?
Cheers MH
You missed my original point. I stated that I failed to see the problem. Then it was explained, at which point it was apparent. I wasn't objecting, but stating a need for clarification. -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Mon, Nov 24, 2014 at 10:50:26PM +0100, Mathias Homann wrote:
Am Montag, 24. November 2014, 13:19:14 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 21:07 +0100, Mathias Homann wrote:
Am Montag, 24. November 2014, 11:55:28 schrieb Roger Luedecke:
On Mon, 2014-11-24 at 15:55 +0100, Mathias Homann wrote:
Hi,
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
I think we should...
reasoning:
mobile users (laptops) who use NetworkManager / Wicked for managing their ip connectivity "in userspace" would want to be able to have multiple wifi setups that end up being in different zones.
I'm going to try to package the latest firewalld from fedora for openSUSE, and test it with 13.2.
Progress report will follow in due time.
cheers MH
I think I fail to see what the problem with our current firewall is?
Then please explain to me how to do this:
I want to use NetworkManager (or wicked). I want to have one WiFi definition for my Wifi at home. I want to have the wireless interface to be in the internal network when that configuration is active. I also want to have another WiFi definition called "Work", and when that one is active I want the WiFi to be in the work zone. I also want to have any further WiFi definitions that might crop up occasionally (airport, starbucks, you name it) to be in the "public" zone by default.
Frankly, I want the "Zone" field in network manager to be useful. With SuSEFirewall2 it isn't.
Cheers MH
I couldn't since I failed to see what the problem with our current firewall was.
The problem is that SuSEFirewall2 can't have the same interface in different zones depending on which wireless you connect to. The problem also is that SCPM is not working with systemd, so it can't be used to switch configurations on boot based on which WiFi you're *going* to connect to.
Did I make myself clear?
Is the firewall zone switcher applet (fwzs) perhaps of help? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On 11/25/2014 01:00 AM, Marcus Meissner wrote:
On Mon, Nov 24, 2014 at 10:50:26PM +0100, Mathias Homann wrote:
The problem is that SuSEFirewall2 can't have the same interface in different zones depending on which wireless you connect to. The problem also is that SCPM is not working with systemd, so it can't be used to switch configurations on boot based on which WiFi you're *going* to connect to.
Did I make myself clear? Is the firewall zone switcher applet (fwzs) perhaps of help?
Ciao, Marcus
"Firewall Zone Switcher consists of a DBus service and a system tray applet that lets the user switch firewall zones of network interfaces." ...that might do as a workaround, but not as complete replacement of what firewalld in connection with network manager can do. My point is, with firewalld + networkmanager you set the zone *per connection*, not *per physical interface*, and therefor you don't have to do *anything at all* manually while moving between wireless networks. Keep in mind, a "connection" with network manager means a *combination* of *physical interface* and *configuration*. Cheers MH -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Mathias Homann schrieb:
On 11/25/2014 01:00 AM, Marcus Meissner wrote:
On Mon, Nov 24, 2014 at 10:50:26PM +0100, Mathias Homann wrote:
The problem is that SuSEFirewall2 can't have the same interface in different zones depending on which wireless you connect to. The problem also is that SCPM is not working with systemd, so it can't be used to switch configurations on boot based on which WiFi you're *going* to connect to.
Did I make myself clear? Is the firewall zone switcher applet (fwzs) perhaps of help?
Ciao, Marcus
"Firewall Zone Switcher consists of a DBus service and a system tray applet that lets the user switch firewall zones of network interfaces."
...that might do as a workaround, but not as complete replacement of what firewalld in connection with network manager can do.
My point is, with firewalld + networkmanager you set the zone *per connection*, not *per physical interface*, and therefor you don't have to do *anything at all* manually while moving between wireless networks.
That's what fwzs does even if it's not obvious from the UI. It remembers which zone was uses for which connection and applies that as soon as NM switches connections. Anyways, SuSEfirewall2 is an aged shell script meant for use on routers. It's not actively developed anymore and IMO deserves to be retired. I don't know if firewalld can be an adequate successor though. Someone has to evaluate that and if necessary implement missing bits in firewalld. I disagree with the idea to have separate firewall implementations for servers and desktops. The line between both is very slim, think of libvirt for example which used for both too. If a simple shell script like SuSEFirewall2 can be enhanced to serve both use cases, it shouldn't be a problem for a program designed and written in a proper programming language either after all. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 21284 (AG Nürnberg) Maxfeldstraße 5; 90409 Nürnberg; Germany -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Hey, On 24.11.2014 15:55, Mathias Homann wrote:
Request for discussion: Should we offer firewalld as alternative for SuSEfirewall2?
Sorry to barge in this late but this is definitely the wrong list. Please take this to opensuse-factory where have the chance to catch network/firewall maintainers... Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
participants (8)
-
Carlos E. R. -
G G -
Henne Vogelsang -
Jim Henderson -
Ludwig Nussel -
Marcus Meissner -
Mathias Homann -
Roger Luedecke