Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: [opensuse-factory] firewalld migration
  • From: Darin Perusich <darin@xxxxxxxxxx>
  • Date: Wed, 31 Jan 2018 09:20:25 -0500
  • Message-id: <CADaviKuxEF8b9y=+FzLynZYKfGPEQtyjc9bj-VbGM+Qo8fbXNg@mail.gmail.com>
On Wed, Jan 31, 2018 at 5:43 AM, Matthias Gerstner <mgerstner@xxxxxxx> wrote:
Hello,

are there plans to implement "everything" that SuSEfirewall2 did under
the hood, with firewalld or other mechanisms?

not everything. It's a best effort approach. I would say the aim is to
be able to migrate typical use cases without much troubles.

Best effort is certainly practical. I guess my only expectation be
that when enabling a service the same rules be added that SF2 would
add, if possible.

For example, enabling the apache2 service:
- yast firewall services add service=service:apache2 zone=EXT
- LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http
flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options
prefix "SFW2-INext-ACC-TCP "
- ACCEPT tcp -- anywhere anywhere tcp dpt:http

Not all features that SF2 provides are still relevant today or they
cause complexities that are difficult to manage. firewalld on the other
also provides features that SF2 does not have. A clean and well defined
interface for example.

I liked how SF2 created the LOG rules for each services enabled and
would hate to see it go away.

SF2 allowed very complex LOG rule setups. firewalld only allows to
generally log dropped/rejected packets independently of the involved
service. You can still add custom LOG rules.

How about the more obscure things like loading kernel modules when
FW_KERNEL_SECURITY or FW_LOAD_MODULES are set.

Regarding KERNEL_SECURITY the kernel has improved much in terms of
default values. SF2 currently only touches three items: log_martians,
accept_source_route and rp_filter. This option also was a source of
confusion in the past, because it didn't respect sysctl configuration.
It's better to perform these settings explicitly via sysctl in the
future.

I agree these should be set via sysctl and it's bitten me in the past.

Regarding FW_LOAD_MODULES, firewalld is able to load required modules
like nf_conntrack_netbios_ns in a service context. For example if the
samba-client service is enabled then this module will implicitly be
loaded.

What about "yast firewall", will this be ported? I'm sure there are
more, but these are the few that come to mind.

The YaST firewall module will be delayed a bit. There will be a time
without a functioning one. As long as you have an X server available you
can use the firewall-config GUI instead.

I'm less concerned about the GUI, I typically only use it to see what
values it would set in /etc/sysconfig/SuSEfirewall2. I'm more
interested in the CLI interface that 'yast firewall' provides, but I
guess that would be replaced by firewall-cmd. I wrote the susefw
Puppet module and that leverages the CLI, but since I'm no longer
using Puppet it'll probably just die a slow death.

Generally I'd like to say that you can also contribute to firewalld to
add features that are missing at the moment. I have the impression that
the upstream project is a bit thin on man power at the moment.

Regards

Matthias

--
Matthias Gerstner <matthias.gerstner@xxxxxxx>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Telefon: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553

SUSE Linux GmbH
GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >