[opensuse] Does 13.2+ work with shorewall properly yet? Read about wicked/systemd woes
Good day, I am trying to find out of shorewall is supposed to work with 13.2 properly, as I read about systemd stuff being in the midst of creation and wicked and sort of that things that make it problematic to run something different from susefirewall2. Thanks for helping. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"cagsm" == cagsm <cumandgets0mem00f@gmail.com> writes:
cagsm> Good day, I am trying to find out of shorewall is supposed to work cagsm> with 13.2 properly, as I read about systemd stuff being in the cagsm> midst of creation and wicked and sort of that things that make it cagsm> problematic to run something different from susefirewall2. Have a look at https://bugzilla.novell.com/show_bug.cgi?id=907335 as it is the only bug opened for the same topic. There is not much I can do unless wicked fixes the mess it created -- Life is endless possibilities -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/9/2015 3:18 AM, Togan Muftuoglu wrote:
"cagsm" == cagsm <cumandgets0mem00f@gmail.com> writes:
cagsm> Good day, I am trying to find out of shorewall is supposed to work cagsm> with 13.2 properly, as I read about systemd stuff being in the cagsm> midst of creation and wicked and sort of that things that make it cagsm> problematic to run something different from susefirewall2.
Have a look at https://bugzilla.novell.com/show_bug.cgi?id=907335 as it is the only bug opened for the same topic.
There is not much I can do unless wicked fixes the mess it created
You could ask on the shorewall list, shorewall-users@lists.sourceforge.net or fire off a quick email to Tom Eastep at teastep@shorewall.net Some info is found searching the Shorewall list archive: http://sourceforge.net/p/shorewall/mailman/search/?q=opensuse+13.2 -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"John" == John Andersen <jsamyth@gmail.com> writes:
John> On 2/9/2015 3:18 AM, Togan Muftuoglu wrote: >>>>>>> "cagsm" == cagsm <cumandgets0mem00f@gmail.com> writes: >> cagsm> Good day, I am trying to find out of shorewall is supposed to work cagsm> with 13.2 properly, as I read about systemd stuff being in the cagsm> midst of creation and wicked and sort of that things that make it cagsm> problematic to run something different from susefirewall2. >> >> Have a look at https://bugzilla.novell.com/show_bug.cgi?id=907335 as it is the >> only bug opened for the same topic. >> >> There is not much I can do unless wicked fixes the mess it created >> >> John> You could ask on the shorewall list, John> shorewall-users@lists.sourceforge.net or fire off a quick email to John> Tom Eastep at teastep@shorewall.net John> Some info is found searching the Shorewall list archive: John> http://sourceforge.net/p/shorewall/mailman/search/?q=opensuse+13.2 And since I am the maintainer of shorewall packages the answer will be same, wicked has to stop thinking there is only SuSEfirewall2 as a firewall package -- Life is endless possibilities -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Feb 10, 2015 at 11:38 AM, Togan Muftuoglu <toganm@opensuse.org> wrote:
And since I am the maintainer of shorewall packages the answer will be same, wicked has to stop thinking there is only SuSEfirewall2 as a firewall package
Is there news on the shorewall and wicked or systemd stuff? I read about shorewall iteration 5.0 recently and they speak about systemd and new technology stuff in recent linux distributions. Does nobody at all run shorewall on current opensuse any more? I would like to have shorewall again on suse, which I had nicely running in the past. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
cagsm wrote:
On Tue, Feb 10, 2015 at 11:38 AM, Togan Muftuoglu <toganm@opensuse.org> wrote:
And since I am the maintainer of shorewall packages the answer will be same, wicked has to stop thinking there is only SuSEfirewall2 as a firewall package
Is there news on the shorewall and wicked or systemd stuff?
Why does wicked need to know about firewalls anyway? -- Per Jessen, Zürich (20.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, May 21, 2016 at 9:03 PM, Per Jessen <per@computer.org> wrote:
Why does wicked need to know about firewalls anyway?
Isnt wicked in charge of the whole networking stack and stuff in coop with systemd. There cant be no shorewall without wicked compatibility as far as I understand. Apparently shorewall has some references or support to systemd, but wicked is opensuse specialty only am I wrong? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
cagsm wrote:
On Sat, May 21, 2016 at 9:03 PM, Per Jessen <per@computer.org> wrote:
Why does wicked need to know about firewalls anyway?
Isnt wicked in charge of the whole networking stack and stuff in coop with systemd. There cant be no shorewall without wicked compatibility as far as I understand. Apparently shorewall has some references or support to systemd, but wicked is opensuse specialty only am I wrong?
wicked knows nothing about my own firewall script. I have maintained my own for years, from before SuSEfirewall, and it works just fine. A firewall is nothing but a collection of iptables rules. I don't see much reason for wicked to know about it. If it does have a need to fiddle with the firewall, wicked ought to provide some hooks which every firewall can interface with. -- Per Jessen, Zürich (9.4°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/24/2016 02:30 AM, Per Jessen wrote:
cagsm wrote:
On Sat, May 21, 2016 at 9:03 PM, Per Jessen <per@computer.org> wrote:
Why does wicked need to know about firewalls anyway? Isnt wicked in charge of the whole networking stack and stuff in coop with systemd. There cant be no shorewall without wicked compatibility as far as I understand. Apparently shorewall has some references or support to systemd, but wicked is opensuse specialty only am I wrong? wicked knows nothing about my own firewall script. I have maintained my own for years, from before SuSEfirewall, and it works just fine. A firewall is nothing but a collection of iptables rules. I don't see much reason for wicked to know about it.
If it does have a need to fiddle with the firewall, wicked ought to provide some hooks which every firewall can interface with.
Maybe you should do what I did and switch your firewall to pfsense. It just works. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 05/24/2016 02:30 AM, Per Jessen wrote:
cagsm wrote:
On Sat, May 21, 2016 at 9:03 PM, Per Jessen <per@computer.org> wrote:
Why does wicked need to know about firewalls anyway? Isnt wicked in charge of the whole networking stack and stuff in coop with systemd. There cant be no shorewall without wicked compatibility as far as I understand. Apparently shorewall has some references or support to systemd, but wicked is opensuse specialty only am I wrong? wicked knows nothing about my own firewall script. I have maintained my own for years, from before SuSEfirewall, and it works just fine. A firewall is nothing but a collection of iptables rules. I don't see much reason for wicked to know about it.
If it does have a need to fiddle with the firewall, wicked ought to provide some hooks which every firewall can interface with.
Maybe you should do what I did and switch your firewall to pfsense. It just works.
So does my firewall, has done for years :-) -- Per Jessen, Zürich (11.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/24/2016 06:27 AM, Per Jessen wrote:
Maybe you should do what I did and switch your firewall to pfsense.
It just works. So does my firewall, has done for years :-)
I also used openSUSE for my firewall for many years. However, getting it to work with dhcpv6-pd made me move. Also, support for IPv6 in the openSUSE firewall was week. I had to manually edit the firewall script to handle things in IPv6. With pfsense, you can specify if something is for IPv4, IPv6 or both. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 05/24/2016 06:27 AM, Per Jessen wrote:
Maybe you should do what I did and switch your firewall to pfsense.
It just works. So does my firewall, has done for years :-)
I also used openSUSE for my firewall for many years. However, getting it to work with dhcpv6-pd made me move.
Yeah, that is a nuisance. :-(
Also, support for IPv6 in the openSUSE firewall was week. I had to manually edit the firewall script to handle things in IPv6.
I just have two scripts, they're virtually the same. -- Per Jessen, Zürich (13.0°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-05-24 08:30, Per Jessen wrote:
wicked knows nothing about my own firewall script. I have maintained my own for years, from before SuSEfirewall, and it works just fine. A firewall is nothing but a collection of iptables rules. I don't see much reason for wicked to know about it.
I think that the idea may be to configure the firewall differently depending on what network you are at the time. Like home or work. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAldEMxwACgkQja8UbcUWM1xnjQD/T0jrVjltAKjV1lQji//fx0A6 Sc5cJH5ktYHtYF8JKzYA/i7N6Jqg2lcswNvpvlFE4qYs0GdEckA7U9mLrsP+hmEL =ZOX4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-05-24 08:30, Per Jessen wrote:
wicked knows nothing about my own firewall script. I have maintained my own for years, from before SuSEfirewall, and it works just fine. A firewall is nothing but a collection of iptables rules. I don't see much reason for wicked to know about it.
I think that the idea may be to configure the firewall differently depending on what network you are at the time. Like home or work.
If you're on a portable device, I think you are more likely to be using network manager? -- Per Jessen, Zürich (13.0°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-05-24 13:07, Per Jessen wrote:
Carlos E. R. wrote:
I think that the idea may be to configure the firewall differently depending on what network you are at the time. Like home or work.
If you're on a portable device, I think you are more likely to be using network manager?
Yes, probably. I don't really know what are the capabilities and expectations of wicked, I'm on 13.1 and wicked is precisely one of the reasons I skipped 13.2. I suppose it does have some autoconfiguration capabilities. Plus, if network manager goes better with shorewall, then wicked should also work with it for consistency. It wouldn't do to have to switch wicked/nm and it forcing SuSEfirewall2/shorewall. All combinations should work. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAldERhoACgkQja8UbcUWM1xDpQEAm5Zpdq4gBgTUY62bKl+FcmnE XI3dYHzKMNlVflv30HgA/jnsQBr5tqSDMRI7GICDrw4U0qhE/E5z6YITv7tbgIGA =HOD1 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
cagsm wrote:
On Sat, May 21, 2016 at 9:03 PM, Per Jessen <per@computer.org> wrote:
Why does wicked need to know about firewalls anyway?
Isnt wicked in charge of the whole networking stack and stuff in coop with systemd. There cant be no shorewall without wicked compatibility as far as I understand. Apparently shorewall has some references or support to systemd, but wicked is opensuse specialty only am I wrong?
Actually, let's get back to $SUBJ - it seems to me shorewall ought ot work just fine, with or without wicked. Are you having a problem with it? -- Per Jessen, Zürich (11.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, May 21, 2016 at 10:03 PM, Per Jessen <per@computer.org> wrote:
cagsm wrote:
On Tue, Feb 10, 2015 at 11:38 AM, Togan Muftuoglu <toganm@opensuse.org> wrote:
And since I am the maintainer of shorewall packages the answer will be same, wicked has to stop thinking there is only SuSEfirewall2 as a firewall package
Is there news on the shorewall and wicked or systemd stuff?
Why does wicked need to know about firewalls anyway?
E.g. you need to allow specific ports and protocols when doing VPN; it would be helpful if wicked (or NM or whatever) could automatically do it when VPN is configured (or, better, when connection is activated). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Sat, May 21, 2016 at 10:03 PM, Per Jessen <per@computer.org> wrote:
cagsm wrote:
On Tue, Feb 10, 2015 at 11:38 AM, Togan Muftuoglu <toganm@opensuse.org> wrote:
And since I am the maintainer of shorewall packages the answer will be same, wicked has to stop thinking there is only SuSEfirewall2 as a firewall package
Is there news on the shorewall and wicked or systemd stuff?
Why does wicked need to know about firewalls anyway?
E.g. you need to allow specific ports and protocols when doing VPN; it would be helpful if wicked (or NM or whatever) could automatically do it when VPN is configured (or, better, when connection is activated).
Not a bad example - does wicked actually run VPNs? I have used openvpn for 10 years now - just got reminded yesterday when the certs expired :-) Took me a while to work out what needing doing .... -- Per Jessen, Zürich (23.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 21/05/16 18:45, cagsm wrote:
On Tue, Feb 10, 2015 at 11:38 AM, Togan Muftuoglu <toganm@opensuse.org> wrote:
And since I am the maintainer of shorewall packages the answer will be same, wicked has to stop thinking there is only SuSEfirewall2 as a firewall package
Is there news on the shorewall and wicked or systemd stuff? I read about shorewall iteration 5.0 recently and they speak about systemd and new technology stuff in recent linux distributions. Does nobody at all run shorewall on current opensuse any more? I would like to have shorewall again on suse, which I had nicely running in the past. Thanks.
In the past few days I have set up shorewall on my desktop computer, running openSUSE Leap 42.1, which also connects to some other machines on the LAN. I am a total newbie with regards to firewalls, but I found shorewall easier to understand than SUSEfirewall2 and better documented, with numerous examples. The one problem I had was quickly solved on the shorewall-users mailing list, and even that problem could have been sorted by me RTFMing a bit more than I had. Bob -- Bob Williams System: Linux 4.1.20-11-default Distro: openSUSE 42.1 (x86_64) Desktop: KDE Frameworks: 5.21.0, Qt: 5.5.1 and Plasma: -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, May 24, 2016 at 11:17 AM, Bob Williams <linux@karmasailing.uk> wrote:
In the past few days I have set up shorewall on my desktop computer, running openSUSE Leap 42.1, which also connects to some other machines on the LAN. I am a total newbie with regards to firewalls, but I found shorewall easier to understand than SUSEfirewall2 and better documented, with numerous examples. The one problem I had was quickly solved on the shorewall-users mailing list, and even that problem could have been sorted by me RTFMing a bit more than I had.
Okay so thanks for this valuable hint, I was simply coming back to this existing thread on the opensuse ml which spoke about some lackings of opensuse to work with shorewall. Now that you are reporting that you managed to run it on leap, i will try as well as soon as possible. Which shorewall version and in what technical ways did you install on your leap? What do they speak about leap and shorewall on the shorewall lists? Thanks for helping. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 24/05/16 11:52, cagsm wrote:
On Tue, May 24, 2016 at 11:17 AM, Bob Williams <linux@karmasailing.uk> wrote:
In the past few days I have set up shorewall on my desktop computer, running openSUSE Leap 42.1, which also connects to some other machines on the LAN. I am a total newbie with regards to firewalls, but I found shorewall easier to understand than SUSEfirewall2 and better documented, with numerous examples. The one problem I had was quickly solved on the shorewall-users mailing list, and even that problem could have been sorted by me RTFMing a bit more than I had.
Okay so thanks for this valuable hint, I was simply coming back to this existing thread on the opensuse ml which spoke about some lackings of opensuse to work with shorewall. Now that you are reporting that you managed to run it on leap, i will try as well as soon as possible. Which shorewall version and in what technical ways did you install on your leap? What do they speak about leap and shorewall on the shorewall lists? Thanks for helping.
I'm using shorewall 4.6 from the openSUSE OSS repo, installed using zypper. I followed the examples online and in the man pages to setup the various scripts (policy, zones, interfaces, rules etc). No one commented on the fact that I'm using Leap when I posted my question, even though I included that information. Bob -- Bob Williams System: Linux 4.1.20-11-default Distro: openSUSE 42.1 (x86_64) Desktop: KDE Frameworks: 5.21.0, Qt: 5.5.1 and Plasma: -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Andrei Borzenkov -
Bob Williams -
cagsm -
Carlos E. R. -
James Knott -
John Andersen -
Per Jessen -
Togan Muftuoglu