Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Michael Scherer]

Le jeudi 15 novembre 2012 à 09:06 -0800, Adam Williamson a écrit :
 On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
  
  Am 15.11.2012 13:33, schrieb Michael Scherer:
   Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
   iptables rules are a long-established cross-
   distribution interface
   
   Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
   offered several frontend, but IIRC, didn't use one by default
  
  and they ALL using iptables/netfilter
  
  so if you write a iptables.sh you get it run on ANY distribution
  and that was the point
 
 Right. I hate to say it, but Harald is correct here: AFAIK, all those
 and other firewall configuration mechanisms were ultimately just
 UI/abstraction layers wrapped around iptables. They wrote iptables
 rules. firewalld is very different.

Usually, if you use shorewall, nuface, ufw, etc and iptables side by
side, there is inconsistency.

As long iptables exist, you will have to do the exact same thing :
- disable the firewall of the distribution ( which is already a non
portable part of the installation )
- run either :
 - a script with lots of iptables calls ( quite awful, slow and
unauditable in practice as Reindl explained in another mail, and as I
too often seen at customers deployment )
 - a script that run 1 command, iptables-restore  file. Which is
equally as awful and unauditable, but faster.

I do not see what firewalld would change to that. Disable it, run what
you want instead.

The only issue is always the same, if you want to run 2 systems side by
side, you have to make work to integrate them. For example, shorewall
will set the default policy for a table, create new one, flush the
current one, etc. So as a sane iptables scripts will do the same, you
cannot run them one after the other and expect things to work smoothly.

And for firewalld, the problem is that firewalld do stuff that a simple
script cannot, namely offering a dbus interface, and so the script
cannot simply replace firewalld ( and never will ). Previous systems
were simple enough that you could just remove them and do the work by
hand. Firewalld provides more and if applications do not cope with non
existant firewalld, then this will be bad.

However, I do not expect having a hard dependency on it for a few years,
since this would mean that such applications no longer work on
distribution that do not ship firewalld ( like for example current
version of RHEL ). 

-- 
Michael Scherer

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Miloslav Trmač]

On Thu, Nov 15, 2012 at 3:23 AM, Kevin Kofler kevin.kof...@chello.at wrote:
 And what about the many system administrators using handwritten
 rules (see Harald Reindl's reply)?
There is a --direct option that is supposed to provide a
compatibility/escape mechanism with full iptables functionality (and
mostly same syntax).  Last release cycle it appeared to work; testing
it with some demanding real-world scripts would be interesting.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Michael Scherer]

Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
  iptables rules are a long-established cross-
 distribution interface

Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
offered several frontend, but IIRC, didn't use one by default. 

And I have worked as firewall admin and developper, and while netfilter
is a impressive piece of work, this is more used as a framework than
anything. For example, one of the client wrote a script with automated
roolback in case of issue, and we ( my company ) wrote a tool to edit
rules without having to reload the whole firewall ( cause waiting 1
minutes to see if you crashed the whole network is not fun the 10 first
time ).

-- 
Michael Scherer

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 13:33, schrieb Michael Scherer:
 Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
 iptables rules are a long-established cross-
 distribution interface
 
 Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
 offered several frontend, but IIRC, didn't use one by default

and they ALL using iptables/netfilter

so if you write a iptables.sh you get it run on ANY distribution
and that was the point



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
 
 Am 15.11.2012 13:33, schrieb Michael Scherer:
  Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
  iptables rules are a long-established cross-
  distribution interface
  
  Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
  offered several frontend, but IIRC, didn't use one by default
 
 and they ALL using iptables/netfilter
 
 so if you write a iptables.sh you get it run on ANY distribution
 and that was the point

Right. I hate to say it, but Harald is correct here: AFAIK, all those
and other firewall configuration mechanisms were ultimately just
UI/abstraction layers wrapped around iptables. They wrote iptables
rules. firewalld is very different.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 18:06, schrieb Adam Williamson:
 On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:

 Am 15.11.2012 13:33, schrieb Michael Scherer:
 Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
 offered several frontend, but IIRC, didn't use one by default

 and they ALL using iptables/netfilter

 so if you write a iptables.sh you get it run on ANY distribution
 and that was the point
 
 Right. I hate to say it, but Harald is correct here: AFAIK, all those
 and other firewall configuration mechanisms were ultimately just
 UI/abstraction layers wrapped around iptables. They wrote iptables
 rules. firewalld is very different.

and that is why i hardly hope iptables.service will be available
parallel to firewalld because both satisfy different needs

* firewalld: desktops, standard-setups
* iptables: users maintaining since forever their rules per shellscripts

i am one of the second groups and doing DISTRIBUTED iptables-configurations
for whole infrastructures since many years and using here any capability
of iptables which can be hardly covered with abstraction layers

firewalld is helpful for most average users and a fine idea
iptables.service is for the pople needing 100% control of each
netfilter-rule and it would be a great fault to try include any
capability in firewalld because it would be too complex to use
and finally not satifsy both user groups

if it supports any comination you can do with a script containing
some hundret iptables-commands it would became overloaded for the
average user while most likely my usage could still only be covered
partly

the only things i need are:

* /usr/sbin/iptables
* /sbin/iptables-save  /etc/sysconfig/iptables
* a service loading /etc/sysconfig/iptables at startup
* not collide with firewalld or forced to use it

if this is possible and firewalld is the default i am
happy, my workload stays fine and firewalld satisfies
other user-types - a perfect combination and a real
improvement at all




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Miloslav Trmač]

On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.11.2012 18:06, schrieb Adam Williamson:
 Right. I hate to say it, but Harald is correct here: AFAIK, all those
 and other firewall configuration mechanisms were ultimately just
 UI/abstraction layers wrapped around iptables. They wrote iptables
 rules. firewalld is very different.

(Side-reply to Adam:) I can't see the difference; /sbin/iptables still
works if you have firewalld running.

 i am one of the second groups and doing DISTRIBUTED iptables-configurations
 for whole infrastructures since many years and using here any capability
 of iptables which can be hardly covered with abstraction layers

It would be very helpful for judging the maturity/suitability of
firewalld if you could try converting your iptables script to
firewall-cmd --direct (which, at least I hope, should be possible to
do with a few sed commands), and report back whether the pass-through
capability is good enough.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote:
 On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net wrote:
  Am 15.11.2012 18:06, schrieb Adam Williamson:
  Right. I hate to say it, but Harald is correct here: AFAIK, all those
  and other firewall configuration mechanisms were ultimately just
  UI/abstraction layers wrapped around iptables. They wrote iptables
  rules. firewalld is very different.
 
 (Side-reply to Adam:) I can't see the difference; /sbin/iptables still
 works if you have firewalld running.

Sure, but the background here was the 'replace vs. augment' question -
is firewalld actually planned to replace iptables in the long run, or
are we committed to maintaining iptables as an alternative mechanism? It
sounds like harald would be happy if the latter is the case.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Miloslav Trmač]

On Thu, Nov 15, 2012 at 7:10 PM, Adam Williamson awill...@redhat.com wrote:
 On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote:
 On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net 
 wrote:
  Am 15.11.2012 18:06, schrieb Adam Williamson:
  Right. I hate to say it, but Harald is correct here: AFAIK, all those
  and other firewall configuration mechanisms were ultimately just
  UI/abstraction layers wrapped around iptables. They wrote iptables
  rules. firewalld is very different.

 (Side-reply to Adam:) I can't see the difference; /sbin/iptables still
 works if you have firewalld running.

 Sure, but the background here was the 'replace vs. augment' question -
 is firewalld actually planned to replace iptables in the long run, or
 are we committed to maintaining iptables as an alternative mechanism? It
 sounds like harald would be happy if the latter is the case.

(as far as I understand the situation:)  iptables as a kernel
interface and a low-level command will exist, but applications will
expect the existence of the firewalld D-Bus service (as opposed to the
system-config-firewall D-Bus service, at least; I'm not sure what this
implies about systems where the firewalld D-Bus service is not
available), and firewall-cmd, not iptables, will be the recommended
user tool.

In fact, not applications will expect..., but applications already
expect - this is already the case with anaconda, control-center and
perhaps other applications.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Matthew Miller]

On Thu, Nov 15, 2012 at 10:10:43AM -0800, Adam Williamson wrote:
 Sure, but the background here was the 'replace vs. augment' question -
 is firewalld actually planned to replace iptables in the long run, or
 are we committed to maintaining iptables as an alternative mechanism? It
 sounds like harald would be happy if the latter is the case.

One approach: firewalld could have a direct-only mode. If that mode were
enabled, it'd load a static script from from /etc/sysconfig/iptables on
launch, and respond to any commands other than the direct api with an in
direct-only mode error. Then, firewalld-aware applications could choose to
raise a user error or to go to whatever fallback they have.

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 19:02, schrieb Miloslav Trmač:
 On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.11.2012 18:06, schrieb Adam Williamson:
 Right. I hate to say it, but Harald is correct here: AFAIK, all those
 and other firewall configuration mechanisms were ultimately just
 UI/abstraction layers wrapped around iptables. They wrote iptables
 rules. firewalld is very different.
 
 (Side-reply to Adam:) I can't see the difference; /sbin/iptables still
 works if you have firewalld running.
 
 i am one of the second groups and doing DISTRIBUTED iptables-configurations
 for whole infrastructures since many years and using here any capability
 of iptables which can be hardly covered with abstraction layers
 
 It would be very helpful for judging the maturity/suitability of
 firewalld if you could try converting your iptables script to
 firewall-cmd --direct (which, at least I hope, should be possible to
 do with a few sed commands), and report back whether the pass-through
 capability is good enough.

you CAN NOT easily convert iptables.sh scripts containing
hundrets of commands in a specific order which are well tested
over years and your replacment for any hardware firewall/router

this things are not written at once
this things are growed, optimized and maintained over years
this things are tested in zones where security is hardly needed

it is a bad idea to touch them and re-test it all in production
as you can IMPOSSIBLE build a infrastructure with tons of severs
and clients with very specific block/reject/allow in a test
environment without wasting hundrests of hours of your work

and the main problem: this thinhs are working fine since forever
you will have no benefit to convert them to something else

it is one thing to develop new tools and abstraction layers
a whole different story is throw away perfect workloads for nothing

in the time we discuss this here someone could maintain iptables.service
the next 20 years at all!




signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 19:16, schrieb Miloslav Trmač:
 (as far as I understand the situation:)  iptables as a kernel
 interface and a low-level command will exist, but applications will
 expect the existence of the firewalld D-Bus service (as opposed to the
 system-config-firewall D-Bus service, at least; I'm not sure what this
 implies about systems where the firewalld D-Bus service is not
 available), and firewall-cmd, not iptables, will be the recommended
 user tool

and this is the reason why i say CAUTIOn

i do not want nor can i accept anything on MY machines
expect anything to deal with iptables-rules. i am the only
on e instance to define what is open and closed and with
which REJECT or DROP answer what is closed

nobody and nothing has to touch this dynamically

if a application needs a port open i am the one to open it and
if not you can be sure there is a  good reason why it stays
closed - the reason is security and professional it-managment

i am responsible for my data, comanies data and data of many
customers so i have to be the instance to control every piece
of software - on servers and static setups there is no need for
dynmaic connifurations - the opposite is true: you need to disable
and close ANYTHING and allow NOTHING where you are not 100% sure
that you aware what is done

these things will not change tomorrow nor in 20 years and the
palces where they are changed you read regulary in the newspaper
because intrusions and security leaks!



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Miloslav Trmač]

On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.11.2012 19:02, schrieb Miloslav Trmač:
 It would be very helpful for judging the maturity/suitability of
 firewalld if you could try converting your iptables script to
 firewall-cmd --direct (which, at least I hope, should be possible to
 do with a few sed commands), and report back whether the pass-through
 capability is good enough.

 you CAN NOT easily convert iptables.sh scripts containing
 hundrets of commands in a specific order which are well tested
 over years and your replacment for any hardware firewall/router

Have you actually _tried_?  It's supposed to be as easy as
s/iptables/firewall-cmd --direct --passthrough ipv4/

I don't know for a fact whether it is good enough.  You seem to have a
script that could tell us.
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 19:27, schrieb Miloslav Trmač:
 On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.11.2012 19:02, schrieb Miloslav Trmač:
 It would be very helpful for judging the maturity/suitability of
 firewalld if you could try converting your iptables script to
 firewall-cmd --direct (which, at least I hope, should be possible to
 do with a few sed commands), and report back whether the pass-through
 capability is good enough.

 you CAN NOT easily convert iptables.sh scripts containing
 hundrets of commands in a specific order which are well tested
 over years and your replacment for any hardware firewall/router
 
 Have you actually _tried_?  It's supposed to be as easy as
 s/iptables/firewall-cmd --direct --passthrough ipv4/
 
 I don't know for a fact whether it is good enough.  You seem to have a
 script that could tell us.

i posted a script realier this day as .txt file with
masked network details, but it did not go trough list
moderation AFAIK until now





signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Kevin Fenzi]

On Thu, 15 Nov 2012 19:30:27 +0100
Reindl Harald h.rei...@thelounge.net wrote:
 Am 15.11.2012 19:27, schrieb Miloslav Trmač:
  On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald
  h.rei...@thelounge.net wrote:
  Am 15.11.2012 19:02, schrieb Miloslav Trmač:
  It would be very helpful for judging the maturity/suitability of
  firewalld if you could try converting your iptables script to
  firewall-cmd --direct (which, at least I hope, should be possible
  to do with a few sed commands), and report back whether the
  pass-through capability is good enough.
 
  you CAN NOT easily convert iptables.sh scripts containing
  hundrets of commands in a specific order which are well tested
  over years and your replacment for any hardware firewall/router
  
  Have you actually _tried_?  It's supposed to be as easy as
  s/iptables/firewall-cmd --direct --passthrough ipv4/
  
  I don't know for a fact whether it is good enough.  You seem to
  have a script that could tell us.
 
 i posted a script realier this day as .txt file with
 masked network details, but it did not go trough list
 moderation AFAIK until now

Everyone on this list doesn't need a copy of your (lengthy) iptables
script, IMHO. 

Perhaps the two of you could continue this off line and test and report
back to the list? 

kevin




signature.asc
Description: PGP signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 19:37, schrieb Kevin Fenzi:
 Have you actually _tried_?  It's supposed to be as easy as
 s/iptables/firewall-cmd --direct --passthrough ipv4/

 I don't know for a fact whether it is good enough.  You seem to
 have a script that could tell us.

 i posted a script realier this day as .txt file with
 masked network details, but it did not go trough list
 moderation AFAIK until now
 
 Everyone on this list doesn't need a copy of your (lengthy) iptables
 script, IMHO. 
 
 Perhaps the two of you could continue this off line and test and report
 back to the list? 

your argumentation is NOT helpful

i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE
i can NOT post a unmasked version with ip-addresses and hostnames
i can NOT simulate a whole network with around 100 machines

even i could do this all, it wozld be VERY difficult to RE-AUDIT
the whole configuration and security-layers which are hardly
to explain because usually infrastructure and network-segments
you want to isolate in both directions is grwoing over years
and not there at once

and this is why REMOEV iptables.service would cause A LOT of work
and auditing while you risk security troubles while you are at
working on this for a more or less non existing benfit

this is why it would be NOT a good idea to remove iptables.service

some of this setups are hunderts of kilometers away
the iptables.sh there is the ROUTER
you can not test this remote because if you make a small mistake
you have lost the game and the remote network is down and having
everywhere lights-out-managment is a nice wish but in reality
you do NOT want LOM exposed to the internet, so it is BEHIND this
iptables-etups you play around

REALLY: there is nothing more i can say to this topic
it is not my decision if people drop iptables.service and make a
big wasting of ressources and security while doing this all over
the world - but people should keep in mind what damage they are
doing if acting this way






signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Thu, 2012-11-15 at 19:46 +0100, Reindl Harald wrote:
 
 Am 15.11.2012 19:37, schrieb Kevin Fenzi:
  Have you actually _tried_?  It's supposed to be as easy as
  s/iptables/firewall-cmd --direct --passthrough ipv4/
 
  I don't know for a fact whether it is good enough.  You seem to
  have a script that could tell us.
 
  i posted a script realier this day as .txt file with
  masked network details, but it did not go trough list
  moderation AFAIK until now
  
  Everyone on this list doesn't need a copy of your (lengthy) iptables
  script, IMHO. 
  
  Perhaps the two of you could continue this off line and test and report
  back to the list? 
 
 your argumentation is NOT helpful
 
 i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE
 i can NOT post a unmasked version with ip-addresses and hostnames
 i can NOT simulate a whole network with around 100 machines

I don't think anyone asked you to do any of those things. Fedora
obviously does not have the power to replace iptables with firewalld on
your router, so the question is not 'can you replace iptables with
firewalld on everything in your network and see if it works'. The
question is more 'can you see if firewalld does a good job of imitating
iptables on a single Fedora machine on your network, or a small amount
of them'. The whole point is it should be able to imitate an
iptables-type setup fairly transparently, so it should 'play nice' with
the rest of your setup. Can't you just test that?
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 15.11.2012 19:58, schrieb Adam Williamson:
 I don't think anyone asked you to do any of those things. Fedora
 obviously does not have the power to replace iptables with firewalld on
 your router, so the question is not 'can you replace iptables with
 firewalld on everything in your network and see if it works'. The
 question is more 'can you see if firewalld does a good job of imitating
 iptables on a single Fedora machine on your network, or a small amount
 of them'. The whole point is it should be able to imitate an
 iptables-type setup fairly transparently, so it should 'play nice' with
 the rest of your setup. Can't you just test that?

and that is why i posted earlier this day a masked copy of the script

ONE script distributed from a admin-server is deplayoed to ANY
machine and exuted with ssh root@machine /scripts/iptables.sh

this thing was written, optimized and maintained for many years
it containes rules to block specific outgoing AND incoming
connections in a more or less dynmic infrastructure

there is no this is the iptables of machine X

i am not only responsible for ONE network, there are finally
MANY networks, they are more or less based on this one script

the reason is simply that if you have, can and do maintain
larger environemnts more or less a a one-man-show you need to
find workloads and solutions to surivive this which is achievd
since years - starting tis from scratch means wasting weeks of
lifetime

don't get me wrong: force this would be no improvement

finally: i am pretty sure that my environments are even SMALL
compared with many others out there, iptables-service is a one-shot
thing at startup, low-level this all is netfilter of the kernel

so i refuse to understand any sense removing the iptables command
and iptables.service to replace it for the sake of replacment

if your argumentation would be this direction i would say
so why do we not remove XFCE, GNOME whatever because KDE exists



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Miloslav Trmač]

On Wed, Nov 14, 2012 at 2:35 AM, Matthew Miller
mat...@fedoraproject.org wrote:
 Well. I may be a little bit cynical on this, but I think the unsteered drift
 of this kind of thing goes like this:

 1. Shiny new feature covers the desktop case, so let's make it the default
in Fedora.
 2. Don't worry, if you have other needs, the old way still works.
 3. So many things get updated to the new way that the old way isn't
reasonable anymore, but *those other use cases never get consideration*.

 It's like step 2 magically covers the end game. But of course it doesn't.

That's not at all the case with firewalld.  2 ouf of 4 of the concerns
that led to firewalld being postponed in F17 were
server/enterprise-related, and AFAIK are now resolved.  Yes, the
documentation is still not great, but that's something that can
realistically be improved before GA.

 I'm not against progress. The static firewall scripts don't cover a lot of
 cases, and are particularly a pain with virt. But let's not jump ahead of
 ourselves without at _least_ a plan.

AFAIK the major things for our usual use cases are covered, at least
going by the F17 criteria.  Sure, there may be more things missing.

Looking at hour original warning flag: Squeezing every last megabyte
out of the running system for cloud is a really new thing that we
haven't historically required.  Sure, it would be great to make
firewalld smaller (and rewriting firewalld to C is one of those things
that have been promised a long time ago and never happened), but I
don't really see that as a blocker.

 So that's a little bit of a tangent, but, as outlined in the other thread, I
 don't think firewalld is at a point where making it the default would be
 a good for Fedora. Maybe it could be by F19. Reducing the dependency load is
 just one part of that.

 In the meantime, I think we should make sure a newly installed system with
 either firewalld or the old thing (now called iptables-service) has a
 sensible firewall out of the box. (Same all-closed-but-ssh as we've had
 forever, I expect.)

We _cannot_ have two different firewalls equally supported, each with
its own command line and API.  Applications won't support both
equally, documentation won't support both equally, QA won't cover both
equally, users will be confused.

We'd get the 8-years duplication of init.d/network vs. NetworkManager
all over again, and I personally strongly want to avoid that (this was
a third of my FESCo election platform).
Mirek
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Matthew Miller]

On Wed, Nov 14, 2012 at 11:34:56AM +0100, Miloslav Trmač wrote:
 AFAIK the major things for our usual use cases are covered, at least
 going by the F17 criteria.  Sure, there may be more things missing.

Adam asked to keep those other things to the other thread, so I'll just
touch on the dependency bloat issue here. I think there are other reasons it
is harmful to Fedora to go ahead before this is ready, though, which I'll
continue to address separately.

 Looking at hour original warning flag: Squeezing every last megabyte
 out of the running system for cloud is a really new thing that we
 haven't historically required.  Sure, it would be great to make
 firewalld smaller (and rewriting firewalld to C is one of those things
 that have been promised a long time ago and never happened), but I
 don't really see that as a blocker.

Making it absolutely minimal isn't a blocker, but pulling X libraries into
the minimal install is. I think that will be resolved, reducing this
particular issue to being something for future improvement. If that can't be
resolved, then it alone should be sufficient cause to postpone the feature.



 We _cannot_ have two different firewalls equally supported, each with
 its own command line and API.  Applications won't support both
 equally, documentation won't support both equally, QA won't cover both
 equally, users will be confused.

I agree. That's why I'm so concerned that firewalld needs to be ready for
all reasonable cases before we switch to it. Again, more on that in the
other thread.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Reindl Harald]

Am 14.11.2012 01:52, schrieb Adam Williamson:
 I don't think that maintaining iptables/s-c-f forever as a 'lightweight
 alternative' to firewalld is the way to go

IT IS the way to go!

not as default, not supported via GUI is OK

but iptables.service and configuration with shellscripts is what
in many professional usecases is needed, the only thing which is
needed by administrators is the iptables-command and iptables.service
loading /etc/sysconfig/iptables at startup

so you can satisfy the desktop users with GUI/firewalld and
do not punish professional users with iptables-rules you
never can put in any GUI



signature.asc
Description: OpenPGP digital signature
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Kevin Kofler]

Miloslav Trmač wrote:
 Looking at hour original warning flag: Squeezing every last megabyte
 out of the running system for cloud is a really new thing that we
 haven't historically required.  Sure, it would be great to make
 firewalld smaller (and rewriting firewalld to C is one of those things
 that have been promised a long time ago and never happened), but I
 don't really see that as a blocker.

The C rewrite should be treated as a requirement for being considered 
anything other than a prototype.

 We'd get the 8-years duplication of init.d/network vs. NetworkManager
 all over again, and I personally strongly want to avoid that (this was
 a third of my FESCo election platform).

Well, I'm not too happy about having 2 ways of doing things either. However, 
I really don't see the point of running a Python daemon to dynamically 
control something I never change in the first place. Now, sure, firewalld 
also does connection tracking and I'd personally have no problems running a 
lightweight C daemon to handle that, but why on Earth does it have to be in 
Python? And what about the many system administrators using handwritten 
rules (see Harald Reindl's reply)? system-config-firewall is a Fedora-
specific UI with limited functionality which it makes sense to replace with 
something more flexible, but iptables rules are a long-established cross-
distribution interface, won't firewalld stomp on those rules, by the way it 
works?

Kevin Kofler

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Sat, 2012-11-10 at 14:40 -0500, Matthew Miller wrote:
 On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote:
   is entirely irrelevant. To achieve the above, we don't need to make sure
   that the default configuration leaves port 22 open when firewalld is
   installed, but that the default configuration leaves port 22 open when
   firewalld is *not* installed. D'oh.
  Well with firewalld not installed and no iptables configs.. I would
  believe that the default would be everything open... unless some other
 
 This is indeed the case.

And that's clearly not what we want. I thought it kind of went without
saying both that this would be the consequence of simply dropping
firewalld from the default install entirely, and that this would not be
acceptable :)
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Matthew Miller]

On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
   Well with firewalld not installed and no iptables configs.. I would
   believe that the default would be everything open... unless some other
  This is indeed the case.
 And that's clearly not what we want. I thought it kind of went without
 saying both that this would be the consequence of simply dropping
 firewalld from the default install entirely, and that this would not be
 acceptable :)

Agreed. *Particularly* if Firewalld is the default but does not nicely cover
all needs. In the ideal world, one codebase would cover everything for all
of Fedora. I don't think we're ready for that for F18, even if we do go
ahead with making it the default, so we need to make sure that the fallback
position is secure.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Tue, 2012-11-13 at 19:44 -0500, Matthew Miller wrote:
 On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
Well with firewalld not installed and no iptables configs.. I would
believe that the default would be everything open... unless some other
   This is indeed the case.
  And that's clearly not what we want. I thought it kind of went without
  saying both that this would be the consequence of simply dropping
  firewalld from the default install entirely, and that this would not be
  acceptable :)
 
 Agreed. *Particularly* if Firewalld is the default but does not nicely cover
 all needs. In the ideal world, one codebase would cover everything for all
 of Fedora. I don't think we're ready for that for F18, even if we do go
 ahead with making it the default, so we need to make sure that the fallback
 position is secure.

Well, sure, but you seem to be drifting the discussion a bit (or I did,
I've been out of town for the weekend, it gets confusing). As I recall
things, the basic goal we were working towards in this thread was the
reduction of the size of the minimal install. And I was suggesting
taking firewalld out entirely as a way of achieving that, until I
realized that would be stupid.

I don't think that maintaining iptables/s-c-f forever as a 'lightweight
alternative' to firewalld is the way to go, here. I'm not advocating
that we put iptables in @core and firewalld in @standard, or anything
like that. Someone else might want to advocate that, but I'm not. Since
I now figured out to my own satisfaction that we can't just ditch
firewalld from the minimal install, the focus in the context of this
goal should be on reducing its dependency load.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Matthew Miller]

On Tue, Nov 13, 2012 at 04:52:47PM -0800, Adam Williamson wrote:
 Well, sure, but you seem to be drifting the discussion a bit (or I did,
 I've been out of town for the weekend, it gets confusing). As I recall
 things, the basic goal we were working towards in this thread was the
 reduction of the size of the minimal install. 

Sorry... I was drifting it into the other thread. 

 And I was suggesting taking firewalld out entirely as a way of achieving
 that, until I realized that would be stupid.

Well. I may be a little bit cynical on this, but I think the unsteered drift
of this kind of thing goes like this: 

1. Shiny new feature covers the desktop case, so let's make it the default
   in Fedora.
2. Don't worry, if you have other needs, the old way still works.
3. So many things get updated to the new way that the old way isn't
   reasonable anymore, but *those other use cases never get consideration*.

It's like step 2 magically covers the end game. But of course it doesn't.

I'm not against progress. The static firewall scripts don't cover a lot of
cases, and are particularly a pain with virt. But let's not jump ahead of
ourselves without at _least_ a plan.

So that's a little bit of a tangent, but, as outlined in the other thread, I
don't think firewalld is at a point where making it the default would be
a good for Fedora. Maybe it could be by F19. Reducing the dependency load is
just one part of that.

In the meantime, I think we should make sure a newly installed system with
either firewalld or the old thing (now called iptables-service) has a
sensible firewall out of the box. (Same all-closed-but-ssh as we've had
forever, I expect.)


 like that. Someone else might want to advocate that, but I'm not. Since
 I now figured out to my own satisfaction that we can't just ditch
 firewalld from the minimal install, the focus in the context of this
 goal should be on reducing its dependency load.

I don't think we can ditch it, but we can certainly revert.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Tue, 2012-11-13 at 20:35 -0500, Matthew Miller wrote:

  like that. Someone else might want to advocate that, but I'm not. Since
  I now figured out to my own satisfaction that we can't just ditch
  firewalld from the minimal install, the focus in the context of this
  goal should be on reducing its dependency load.
 
 I don't think we can ditch it, but we can certainly revert.

Let's keep the threads separate then, to avoid my poor tiny brain
getting overheated. :)
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Stephen John Smoogen]

On 9 November 2012 18:46, Adam Williamson awill...@redhat.com wrote:
 On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote:
 On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
  it maybe doesn't actually need to be). So perhaps we should change
  firewalld to default to opening port 22.

 +1, even having read the rest of this message.


 Same with iptables if firewalld is not installed by default.

 Somehow it took me 45 minutes to notice the giant logic fail in my
 thinking: if what we're trying to achieve is 'don't install firewalld in
 a minimal install', obviously firewalld's default firewall configuration
 is entirely irrelevant. To achieve the above, we don't need to make sure
 that the default configuration leaves port 22 open when firewalld is
 installed, but that the default configuration leaves port 22 open when
 firewalld is *not* installed. D'oh.

Well with firewalld not installed and no iptables configs.. I would
believe that the default would be everything open... unless some other
program is there to set some defaults.

-- 
Stephen J Smoogen.
Don't derail a useful feature for the 99% because you're not in it.
Linus Torvalds
Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me.  —James Stewart as Elwood P. Dowd
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Matthew Miller]

On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote:
  is entirely irrelevant. To achieve the above, we don't need to make sure
  that the default configuration leaves port 22 open when firewalld is
  installed, but that the default configuration leaves port 22 open when
  firewalld is *not* installed. D'oh.
 Well with firewalld not installed and no iptables configs.. I would
 believe that the default would be everything open... unless some other

This is indeed the case.

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Matthew Miller]

On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
 it maybe doesn't actually need to be). So perhaps we should change
 firewalld to default to opening port 22.

+1, even having read the rest of this message.


Same with iptables if firewalld is not installed by default.


-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)

[Adam Williamson]

On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote:
 On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
  it maybe doesn't actually need to be). So perhaps we should change
  firewalld to default to opening port 22.
 
 +1, even having read the rest of this message.
 
 
 Same with iptables if firewalld is not installed by default.

Somehow it took me 45 minutes to notice the giant logic fail in my
thinking: if what we're trying to achieve is 'don't install firewalld in
a minimal install', obviously firewalld's default firewall configuration
is entirely irrelevant. To achieve the above, we don't need to make sure
that the default configuration leaves port 22 open when firewalld is
installed, but that the default configuration leaves port 22 open when
firewalld is *not* installed. D'oh.

We can still not bother poking the firewall configuration by default in
anaconda if firewalld's package default leaves port 22 open and
firewalld is being installed, which would still be a valuable
simplification of what anaconda has to do and is still a sensible
change, but obviously, we can't use that as a reason not to install
firewalld in a minimal install.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel