Hello YaST-Developers, We (me with the support/insight of Olaf, Scott, Coolo and Ludwig) are looking at a firewall solution overhaul for SLE/openSUSE. Reaching out to Lucas, the suggestion was to post a writeup here in the hopes of garnering some interest from the YaST community. After discussions on opensuse-factory, and some research, we decided that "firewalld" appears to be an attractive project that we could leverage. It is under active development, supports zones, network services, has both command and graphical interfaces and speaks dbus. Our goal is to provide a modern firewall solution that integrates well with our network management, and with our system as a whole. At the heart of this integration, is YaST. For the time being, firewalld is strictly an alternative/option to our existing SuSEFirewall2. There is still much to do before it can stand on it's own two feet. The bulk of the work thus far has been centered in the core yast module, specifically the SuSEFirewall module/class. A Firewall 'factory' class has been added that checks which backend packages are installed/enabled when instantiating the SuSEFirewall instance constant. Some of the common functionality has been moved into the factory class, and a basic firewalld module has been added to provide the initial interface between YaST and firewalld. From here, a little augmentation of CWMFirewallInterfaces allowed for the beginnings to support punching holes in the firewalld-based firewall, occurring from our various network service modules (NIS, NTP, NFS). Initial provisioning for unit tests has also been made (no actual tests yet) and investigating SF2 configuration file support is beginning. There was also time spent, very early on, enabling the yast-firewall module to start/stop/enable the two different backends (though this was work done early on to get a feel for YaST development and has not been the focus of late). The next immediate challenges are: 1. Supporting existing /etc/sysconfig/SuSEfirewall2 configuration files Initial thoughts would be to convert as much of these configurations to running firewalld configurations as possible. Conversion would be one-way only (ie. changes made from firewalld would not be reflected in SF2). If firewalld becomes the only solution we support, this would at least allow for smoother adoption. 2. yast-firewall module Keeping in mind that both backends will, for the moment, co-exist, how should our yast-firewall module handle them? Do we leave yast-firewall to allow legacy support for generating SuSEfirewall2 configurations? Do we incorporate "some" support for firewalld? Do we drop yast-firewall altogether? 3. Unit tests While the skeleton for writing firewalld-based unit tests is present, interacting with the firewalld APIs (CLI, etc) require firewalld to be running. How can we leverage the build-time testing infrastructure to support this? 4. dbus Currently, the firewalld support module uses the shell interface. Ultimately, tapping into dbus would be ideal. This is also interesting as we could look into building interfaces with Wicked and allow for firewalld control from within our network management tools. 5. TBD :D If you've read this far and find this work of interest, we'd like to hear from you! Any suggestions, comments or potential for collaboration would be most welcome. If you'd like to have a look at the current state of things, you can find the core stuff here: https://github.com/yast/yast-yast2/compare/master...kmroz:firewalld-oo Regards, Karol