Mailinglist Archive: yast-devel (65 mails)

< Previous Next >
[yast-devel] SUSE firewalling
  • From: Karol Mroz <kmroz@xxxxxxx>
  • Date: Thu, 14 May 2015 17:14:46 -0700
  • Message-id: <20150514171446.2704956c@callisto>
Hello YaST-Developers,

We (me with the support/insight of Olaf, Scott, Coolo and Ludwig) are
looking at a firewall solution overhaul for SLE/openSUSE. Reaching out
to Lucas, the suggestion was to post a writeup here in the hopes of
garnering some interest from the YaST community.

After discussions on opensuse-factory, and some research, we decided
that "firewalld" appears to be an attractive project that we could
leverage. It is under active development, supports zones, network
services, has both command and graphical interfaces and speaks dbus.

Our goal is to provide a modern firewall solution that integrates well
with our network management, and with our system as a whole. At the
heart of this integration, is YaST.

For the time being, firewalld is strictly an alternative/option to our
existing SuSEFirewall2. There is still much to do before it can stand
on it's own two feet.

The bulk of the work thus far has been centered in the core yast
module, specifically the SuSEFirewall module/class. A Firewall
'factory' class has been added that checks which backend packages are
installed/enabled when instantiating the SuSEFirewall instance
constant. Some of the common functionality has been moved into the
factory class, and a basic firewalld module has been added to provide
the initial interface between YaST and firewalld. From here, a little
augmentation of CWMFirewallInterfaces allowed for the beginnings to
support punching holes in the firewalld-based firewall, occurring from
our various network service modules (NIS, NTP, NFS). Initial
provisioning for unit tests has also been made (no actual tests
yet) and investigating SF2 configuration file support is beginning.
There was also time spent, very early on, enabling the yast-firewall
module to start/stop/enable the two different backends (though this was
work done early on to get a feel for YaST development and has not been
the focus of late).

The next immediate challenges are:

1. Supporting existing /etc/sysconfig/SuSEfirewall2 configuration files
Initial thoughts would be to convert as much of these configurations to
running firewalld configurations as possible. Conversion would be
one-way only (ie. changes made from firewalld would not be reflected in
SF2). If firewalld becomes the only solution we support, this would at
least allow for smoother adoption.

2. yast-firewall module
Keeping in mind that both backends will, for the moment, co-exist, how
should our yast-firewall module handle them? Do we leave yast-firewall
to allow legacy support for generating SuSEfirewall2 configurations? Do
we incorporate "some" support for firewalld? Do we drop yast-firewall
altogether?

3. Unit tests
While the skeleton for writing firewalld-based unit tests is present,
interacting with the firewalld APIs (CLI, etc) require firewalld to be
running. How can we leverage the build-time testing infrastructure to
support this?

4. dbus
Currently, the firewalld support module uses the shell interface.
Ultimately, tapping into dbus would be ideal. This is also interesting
as we could look into building interfaces with Wicked and allow for
firewalld control from within our network management tools.

5. TBD :D

If you've read this far and find this work of interest, we'd like to
hear from you! Any suggestions, comments or potential for collaboration
would be most welcome.

If you'd like to have a look at the current state of things, you can
find the core stuff here:
https://github.com/yast/yast-yast2/compare/master...kmroz:firewalld-oo

Regards,
Karol
< Previous Next >
This Thread
  • No further messages