Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: [opensuse-factory] firewalld migration
Hello,

are there plans to implement "everything" that SuSEfirewall2 did under
the hood, with firewalld or other mechanisms?

not everything. It's a best effort approach. I would say the aim is to
be able to migrate typical use cases without much troubles.

Not all features that SF2 provides are still relevant today or they
cause complexities that are difficult to manage. firewalld on the other
also provides features that SF2 does not have. A clean and well defined
interface for example.

I liked how SF2 created the LOG rules for each services enabled and
would hate to see it go away.

SF2 allowed very complex LOG rule setups. firewalld only allows to
generally log dropped/rejected packets independently of the involved
service. You can still add custom LOG rules.

How about the more obscure things like loading kernel modules when
FW_KERNEL_SECURITY or FW_LOAD_MODULES are set.

Regarding KERNEL_SECURITY the kernel has improved much in terms of
default values. SF2 currently only touches three items: log_martians,
accept_source_route and rp_filter. This option also was a source of
confusion in the past, because it didn't respect sysctl configuration.
It's better to perform these settings explicitly via sysctl in the
future.

Regarding FW_LOAD_MODULES, firewalld is able to load required modules
like nf_conntrack_netbios_ns in a service context. For example if the
samba-client service is enabled then this module will implicitly be
loaded.

What about "yast firewall", will this be ported? I'm sure there are
more, but these are the few that come to mind.

The YaST firewall module will be delayed a bit. There will be a time
without a functioning one. As long as you have an X server available you
can use the firewall-config GUI instead.

Generally I'd like to say that you can also contribute to firewalld to
add features that are missing at the moment. I have the impression that
the upstream project is a bit thin on man power at the moment.

Regards

Matthias

--
Matthias Gerstner <matthias.gerstner@xxxxxxx>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)
< Previous Next >
Follow Ups