Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Le jeudi 15 novembre 2012 à 09:06 -0800, Adam Williamson a écrit : > On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote: > > > > Am 15.11.2012 13:33, schrieb Michael Scherer: > > > Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit : > > >> iptables rules are a long-established cross- > > >> distribution interface > > > > > > Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian > > > offered several frontend, but IIRC, didn't use one by default > > > > and they ALL using iptables/netfilter > > > > so if you write a iptables.sh you get it run on ANY distribution > > and that was the point > > Right. I hate to say it, but Harald is correct here: AFAIK, all those > and other firewall configuration mechanisms were ultimately just > UI/abstraction layers wrapped around iptables. They wrote iptables > rules. firewalld is very different. Usually, if you use shorewall, nuface, ufw, etc and iptables side by side, there is inconsistency. As long iptables exist, you will have to do the exact same thing : - disable the firewall of the distribution ( which is already a non portable part of the installation ) - run either : - a script with lots of iptables calls ( quite awful, slow and unauditable in practice as Reindl explained in another mail, and as I too often seen at customers deployment ) - a script that run 1 command, iptables-restore < file. Which is equally as awful and unauditable, but faster. I do not see what firewalld would change to that. Disable it, run what you want instead. The only issue is always the same, if you want to run 2 systems side by side, you have to make work to integrate them. For example, shorewall will set the default policy for a table, create new one, flush the current one, etc. So as a sane iptables scripts will do the same, you cannot run them one after the other and expect things to work smoothly. And for firewalld, the problem is that firewalld do stuff that a simple script cannot, namely offering a dbus interface, and so the script cannot simply replace firewalld ( and never will ). Previous systems were simple enough that you could just remove them and do the work by hand. Firewalld provides more and if applications do not cope with non existant firewalld, then this will be bad. However, I do not expect having a hard dependency on it for a few years, since this would mean that such applications no longer work on distribution that do not ship firewalld ( like for example current version of RHEL ). -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 19:58, schrieb Adam Williamson: > I don't think anyone asked you to do any of those things. Fedora > obviously does not have the power to replace iptables with firewalld on > your router, so the question is not 'can you replace iptables with > firewalld on everything in your network and see if it works'. The > question is more 'can you see if firewalld does a good job of imitating > iptables on a single Fedora machine on your network, or a small amount > of them'. The whole point is it should be able to imitate an > iptables-type setup fairly transparently, so it should 'play nice' with > the rest of your setup. Can't you just test that? and that is why i posted earlier this day a masked copy of the script ONE script distributed from a admin-server is deplayoed to ANY machine and exuted with "ssh root@machine /scripts/iptables.sh" this thing was written, optimized and maintained for many years it containes rules to block specific outgoing AND incoming connections in a more or less dynmic infrastructure there is no "this is the iptables of machine X" i am not only responsible for ONE network, there are finally MANY networks, they are more or less based on this one script the reason is simply that if you have, can and do maintain larger environemnts more or less a a one-man-show you need to find workloads and solutions to surivive this which is achievd since years - starting tis from scratch means wasting weeks of lifetime don't get me wrong: force this would be no improvement finally: i am pretty sure that my environments are even SMALL compared with many others out there, iptables-service is a one-shot thing at startup, low-level this all is netfilter of the kernel so i refuse to understand any sense removing the iptables command and "iptables.service" to replace it for the sake of replacment if your argumentation would be this direction i would say "so why do we not remove XFCE, GNOME whatever because KDE exists" signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, 2012-11-15 at 19:46 +0100, Reindl Harald wrote: > > Am 15.11.2012 19:37, schrieb Kevin Fenzi: > >>> Have you actually _tried_? It's supposed to be as easy as > >>> s/iptables/firewall-cmd --direct --passthrough ipv4/ > >>> > >>> I don't know for a fact whether it is good enough. You seem to > >>> have a script that could tell us. > >> > >> i posted a script realier this day as .txt file with > >> masked network details, but it did not go trough list > >> moderation AFAIK until now > > > > Everyone on this list doesn't need a copy of your (lengthy) iptables > > script, IMHO. > > > > Perhaps the two of you could continue this off line and test and report > > back to the list? > > your argumentation is NOT helpful > > i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE > i can NOT post a unmasked version with ip-addresses and hostnames > i can NOT simulate a whole network with around 100 machines I don't think anyone asked you to do any of those things. Fedora obviously does not have the power to replace iptables with firewalld on your router, so the question is not 'can you replace iptables with firewalld on everything in your network and see if it works'. The question is more 'can you see if firewalld does a good job of imitating iptables on a single Fedora machine on your network, or a small amount of them'. The whole point is it should be able to imitate an iptables-type setup fairly transparently, so it should 'play nice' with the rest of your setup. Can't you just test that? -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 19:37, schrieb Kevin Fenzi: >>> Have you actually _tried_? It's supposed to be as easy as >>> s/iptables/firewall-cmd --direct --passthrough ipv4/ >>> >>> I don't know for a fact whether it is good enough. You seem to >>> have a script that could tell us. >> >> i posted a script realier this day as .txt file with >> masked network details, but it did not go trough list >> moderation AFAIK until now > > Everyone on this list doesn't need a copy of your (lengthy) iptables > script, IMHO. > > Perhaps the two of you could continue this off line and test and report > back to the list? your argumentation is NOT helpful i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE i can NOT post a unmasked version with ip-addresses and hostnames i can NOT simulate a whole network with around 100 machines even i could do this all, it wozld be VERY difficult to RE-AUDIT the whole configuration and security-layers which are hardly to explain because usually infrastructure and network-segments you want to isolate in both directions is grwoing over years and not there at once and this is why REMOEV iptables.service would cause A LOT of work and auditing while you risk security troubles while you are at working on this for a more or less non existing benfit this is why it would be NOT a good idea to remove "iptables.service" some of this setups are hunderts of kilometers away the "iptables.sh" there is the ROUTER you can not test this remote because if you make a small mistake you have lost the game and the remote network is down and having everywhere lights-out-managment is a nice wish but in reality you do NOT want LOM exposed to the internet, so it is BEHIND this iptables-etups you play around REALLY: there is nothing more i can say to this topic it is not my decision if people drop iptables.service and make a big wasting of ressources and security while doing this all over the world - but people should keep in mind what damage they are doing if acting this way signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, 15 Nov 2012 19:30:27 +0100 Reindl Harald wrote: > Am 15.11.2012 19:27, schrieb Miloslav Trmač: > > On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald > > wrote: > >> Am 15.11.2012 19:02, schrieb Miloslav Trmač: > >>> It would be very helpful for judging the maturity/suitability of > >>> firewalld if you could try converting your iptables script to > >>> firewall-cmd --direct (which, at least I hope, should be possible > >>> to do with a few sed commands), and report back whether the > >>> pass-through capability is good enough. > >> > >> you CAN NOT easily convert iptables.sh scripts containing > >> hundrets of commands in a specific order which are well tested > >> over years and your replacment for any hardware firewall/router > > > > Have you actually _tried_? It's supposed to be as easy as > > s/iptables/firewall-cmd --direct --passthrough ipv4/ > > > > I don't know for a fact whether it is good enough. You seem to > > have a script that could tell us. > > i posted a script realier this day as .txt file with > masked network details, but it did not go trough list > moderation AFAIK until now Everyone on this list doesn't need a copy of your (lengthy) iptables script, IMHO. Perhaps the two of you could continue this off line and test and report back to the list? kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 19:27, schrieb Miloslav Trmač: > On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald wrote: >> Am 15.11.2012 19:02, schrieb Miloslav Trmač: >>> It would be very helpful for judging the maturity/suitability of >>> firewalld if you could try converting your iptables script to >>> firewall-cmd --direct (which, at least I hope, should be possible to >>> do with a few sed commands), and report back whether the pass-through >>> capability is good enough. >> >> you CAN NOT easily convert iptables.sh scripts containing >> hundrets of commands in a specific order which are well tested >> over years and your replacment for any hardware firewall/router > > Have you actually _tried_? It's supposed to be as easy as > s/iptables/firewall-cmd --direct --passthrough ipv4/ > > I don't know for a fact whether it is good enough. You seem to have a > script that could tell us. i posted a script realier this day as .txt file with masked network details, but it did not go trough list moderation AFAIK until now signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald wrote: > Am 15.11.2012 19:02, schrieb Miloslav Trmač: >> It would be very helpful for judging the maturity/suitability of >> firewalld if you could try converting your iptables script to >> firewall-cmd --direct (which, at least I hope, should be possible to >> do with a few sed commands), and report back whether the pass-through >> capability is good enough. > > you CAN NOT easily convert iptables.sh scripts containing > hundrets of commands in a specific order which are well tested > over years and your replacment for any hardware firewall/router Have you actually _tried_? It's supposed to be as easy as s/iptables/firewall-cmd --direct --passthrough ipv4/ I don't know for a fact whether it is good enough. You seem to have a script that could tell us. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 19:16, schrieb Miloslav Trmač: > (as far as I understand the situation:) iptables as a kernel > interface and a low-level command will exist, but applications will > expect the existence of the firewalld D-Bus service (as opposed to the > system-config-firewall D-Bus service, at least; I'm not sure what this > implies about systems where the firewalld D-Bus service is not > available), and firewall-cmd, not iptables, will be the recommended > user tool and this is the reason why i say CAUTIOn i do not want nor can i accept anything on MY machines expect anything to deal with iptables-rules. i am the only on e instance to define what is open and closed and with which REJECT or DROP answer what is closed nobody and nothing has to touch this dynamically if a application needs a port open i am the one to open it and if not you can be sure there is a good reason why it stays closed - the reason is security and professional it-managment i am responsible for my data, comanies data and data of many customers so i have to be the instance to control every piece of software - on servers and static setups there is no need for dynmaic connifurations - the opposite is true: you need to disable and close ANYTHING and allow NOTHING where you are not 100% sure that you aware what is done these things will not change tomorrow nor in 20 years and the palces where they are changed you read regulary in the newspaper because intrusions and security leaks! signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 19:02, schrieb Miloslav Trmač: > On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald wrote: >> Am 15.11.2012 18:06, schrieb Adam Williamson: >>> Right. I hate to say it, but Harald is correct here: AFAIK, all those >>> and other firewall configuration mechanisms were ultimately just >>> UI/abstraction layers wrapped around iptables. They wrote iptables >>> rules. firewalld is very different. > > (Side-reply to Adam:) I can't see the difference; /sbin/iptables still > works if you have firewalld running. > >> i am one of the second groups and doing DISTRIBUTED iptables-configurations >> for whole infrastructures since many years and using here any capability >> of iptables which can be hardly covered with abstraction layers > > It would be very helpful for judging the maturity/suitability of > firewalld if you could try converting your iptables script to > firewall-cmd --direct (which, at least I hope, should be possible to > do with a few sed commands), and report back whether the pass-through > capability is good enough. you CAN NOT easily convert iptables.sh scripts containing hundrets of commands in a specific order which are well tested over years and your replacment for any hardware firewall/router this things are not written at once this things are growed, optimized and maintained over years this things are tested in zones where security is hardly needed it is a bad idea to touch them and re-test it all in production as you can IMPOSSIBLE build a infrastructure with tons of severs and clients with very specific block/reject/allow in a test environment without wasting hundrests of hours of your work and the main problem: this thinhs are working fine since forever you will have no benefit to convert them to something else it is one thing to develop new tools and abstraction layers a whole different story is throw away perfect workloads for nothing in the time we discuss this here someone could maintain iptables.service the next 20 years at all! signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, Nov 15, 2012 at 10:10:43AM -0800, Adam Williamson wrote: > Sure, but the background here was the 'replace vs. augment' question - > is firewalld actually planned to replace iptables in the long run, or > are we committed to maintaining iptables as an alternative mechanism? It > sounds like harald would be happy if the latter is the case. One approach: firewalld could have a "direct-only" mode. If that mode were enabled, it'd load a static script from from /etc/sysconfig/iptables on launch, and respond to any commands other than the "direct" api with an "in direct-only mode" error. Then, firewalld-aware applications could choose to raise a user error or to go to whatever fallback they have. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, Nov 15, 2012 at 7:10 PM, Adam Williamson wrote: > On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote: >> On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald >> wrote: >> > Am 15.11.2012 18:06, schrieb Adam Williamson: >> >> Right. I hate to say it, but Harald is correct here: AFAIK, all those >> >> and other firewall configuration mechanisms were ultimately just >> >> UI/abstraction layers wrapped around iptables. They wrote iptables >> >> rules. firewalld is very different. >> >> (Side-reply to Adam:) I can't see the difference; /sbin/iptables still >> works if you have firewalld running. > > Sure, but the background here was the 'replace vs. augment' question - > is firewalld actually planned to replace iptables in the long run, or > are we committed to maintaining iptables as an alternative mechanism? It > sounds like harald would be happy if the latter is the case. (as far as I understand the situation:) iptables as a kernel interface and a low-level command will exist, but applications will expect the existence of the firewalld D-Bus service (as opposed to the system-config-firewall D-Bus service, at least; I'm not sure what this implies about systems where the firewalld D-Bus service is not available), and firewall-cmd, not iptables, will be the recommended user tool. In fact, not "applications will expect...", but "applications already expect" - this is already the case with anaconda, control-center and perhaps other applications. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote: > On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald wrote: > > Am 15.11.2012 18:06, schrieb Adam Williamson: > >> Right. I hate to say it, but Harald is correct here: AFAIK, all those > >> and other firewall configuration mechanisms were ultimately just > >> UI/abstraction layers wrapped around iptables. They wrote iptables > >> rules. firewalld is very different. > > (Side-reply to Adam:) I can't see the difference; /sbin/iptables still > works if you have firewalld running. Sure, but the background here was the 'replace vs. augment' question - is firewalld actually planned to replace iptables in the long run, or are we committed to maintaining iptables as an alternative mechanism? It sounds like harald would be happy if the latter is the case. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald wrote: > Am 15.11.2012 18:06, schrieb Adam Williamson: >> Right. I hate to say it, but Harald is correct here: AFAIK, all those >> and other firewall configuration mechanisms were ultimately just >> UI/abstraction layers wrapped around iptables. They wrote iptables >> rules. firewalld is very different. (Side-reply to Adam:) I can't see the difference; /sbin/iptables still works if you have firewalld running. > i am one of the second groups and doing DISTRIBUTED iptables-configurations > for whole infrastructures since many years and using here any capability > of iptables which can be hardly covered with abstraction layers It would be very helpful for judging the maturity/suitability of firewalld if you could try converting your iptables script to firewall-cmd --direct (which, at least I hope, should be possible to do with a few sed commands), and report back whether the pass-through capability is good enough. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 18:06, schrieb Adam Williamson: > On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote: >> >> Am 15.11.2012 13:33, schrieb Michael Scherer: >>> Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian >>> offered several frontend, but IIRC, didn't use one by default >> >> and they ALL using iptables/netfilter >> >> so if you write a iptables.sh you get it run on ANY distribution >> and that was the point > > Right. I hate to say it, but Harald is correct here: AFAIK, all those > and other firewall configuration mechanisms were ultimately just > UI/abstraction layers wrapped around iptables. They wrote iptables > rules. firewalld is very different. and that is why i hardly hope "iptables.service" will be available parallel to "firewalld" because both satisfy different needs * firewalld: desktops, standard-setups * iptables: users maintaining since forever their rules per shellscripts i am one of the second groups and doing DISTRIBUTED iptables-configurations for whole infrastructures since many years and using here any capability of iptables which can be hardly covered with abstraction layers firewalld is helpful for most average users and a fine idea iptables.service is for the pople needing 100% control of each netfilter-rule and it would be a great fault to try include any capability in firewalld because it would be too complex to use and finally not satifsy both user groups if it supports any comination you can do with a script containing some hundret iptables-commands it would became overloaded for the average user while most likely my usage could still only be covered partly the only things i need are: * /usr/sbin/iptables * /sbin/iptables-save > /etc/sysconfig/iptables * a service loading "/etc/sysconfig/iptables" at startup * not collide with firewalld or forced to use it if this is possible and firewalld is the default i am happy, my workload stays fine and firewalld satisfies other user-types - a perfect combination and a real improvement at all signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote: > > Am 15.11.2012 13:33, schrieb Michael Scherer: > > Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit : > >> iptables rules are a long-established cross- > >> distribution interface > > > > Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian > > offered several frontend, but IIRC, didn't use one by default > > and they ALL using iptables/netfilter > > so if you write a iptables.sh you get it run on ANY distribution > and that was the point Right. I hate to say it, but Harald is correct here: AFAIK, all those and other firewall configuration mechanisms were ultimately just UI/abstraction layers wrapped around iptables. They wrote iptables rules. firewalld is very different. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 15.11.2012 13:33, schrieb Michael Scherer: > Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit : >> iptables rules are a long-established cross- >> distribution interface > > Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian > offered several frontend, but IIRC, didn't use one by default and they ALL using iptables/netfilter so if you write a iptables.sh you get it run on ANY distribution and that was the point signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit : > iptables rules are a long-established cross- > distribution interface Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian offered several frontend, but IIRC, didn't use one by default. And I have worked as firewall admin and developper, and while netfilter is a impressive piece of work, this is more used as a framework than anything. For example, one of the client wrote a script with automated roolback in case of issue, and we ( my company ) wrote a tool to edit rules without having to reload the whole firewall ( cause waiting 1 minutes to see if you crashed the whole network is not fun the 10 first time ). -- Michael Scherer -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Thu, Nov 15, 2012 at 3:23 AM, Kevin Kofler wrote: > And what about the many system administrators using handwritten > rules (see Harald Reindl's reply)? There is a --direct option that is supposed to provide a compatibility/escape mechanism with full iptables functionality (and mostly same syntax). Last release cycle it appeared to work; testing it with some demanding real-world scripts would be interesting. Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Miloslav Trmač wrote: > Looking at hour original warning flag: Squeezing every last megabyte > out of the running system for cloud is a really new thing that we > haven't historically required. Sure, it would be great to make > firewalld smaller (and rewriting firewalld to C is one of those things > that have been promised a long time ago and never happened), but I > don't really see that as a blocker. The C rewrite should be treated as a requirement for being considered anything other than a prototype. > We'd get the 8-years duplication of init.d/network vs. NetworkManager > all over again, and I personally strongly want to avoid that (this was > a third of my FESCo election platform). Well, I'm not too happy about having 2 ways of doing things either. However, I really don't see the point of running a Python daemon to dynamically control something I never change in the first place. Now, sure, firewalld also does connection tracking and I'd personally have no problems running a lightweight C daemon to handle that, but why on Earth does it have to be in Python? And what about the many system administrators using handwritten rules (see Harald Reindl's reply)? system-config-firewall is a Fedora- specific UI with limited functionality which it makes sense to replace with something more flexible, but iptables rules are a long-established cross- distribution interface, won't firewalld stomp on those rules, by the way it works? Kevin Kofler -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
Am 14.11.2012 01:52, schrieb Adam Williamson: > I don't think that maintaining iptables/s-c-f forever as a 'lightweight > alternative' to firewalld is the way to go IT IS the way to go! not as default, not supported via GUI is OK but iptables.service and "configuration" with shellscripts is what in many professional usecases is needed, the only thing which is needed by administrators is the iptables-command and iptables.service loading "/etc/sysconfig/iptables" at startup so you can satisfy the desktop users with GUI/firewalld and do not punish professional users with iptables-rules you never can put in any GUI signature.asc Description: OpenPGP digital signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Wed, Nov 14, 2012 at 11:34:56AM +0100, Miloslav Trmač wrote: > AFAIK the major things for our usual use cases are covered, at least > going by the F17 criteria. Sure, there may be more things missing. Adam asked to keep those other things to the other thread, so I'll just touch on the dependency bloat issue here. I think there are other reasons it is harmful to Fedora to go ahead before this is ready, though, which I'll continue to address separately. > Looking at hour original warning flag: Squeezing every last megabyte > out of the running system for cloud is a really new thing that we > haven't historically required. Sure, it would be great to make > firewalld smaller (and rewriting firewalld to C is one of those things > that have been promised a long time ago and never happened), but I > don't really see that as a blocker. Making it absolutely minimal isn't a blocker, but pulling X libraries into the minimal install is. I think that will be resolved, reducing this particular issue to being something for future improvement. If that can't be resolved, then it alone should be sufficient cause to postpone the feature. > We _cannot_ have two different firewalls equally supported, each with > its own command line and API. Applications won't support both > equally, documentation won't support both equally, QA won't cover both > equally, users will be confused. I agree. That's why I'm so concerned that firewalld needs to be ready for all reasonable cases before we switch to it. Again, more on that in the other thread. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Wed, Nov 14, 2012 at 2:35 AM, Matthew Miller wrote: > Well. I may be a little bit cynical on this, but I think the unsteered drift > of this kind of thing goes like this: > > 1. Shiny new feature covers the desktop case, so let's make it the default >in Fedora. > 2. "Don't worry, if you have other needs, the old way still works". > 3. So many things get updated to the new way that the old way isn't >reasonable anymore, but *those other use cases never get consideration*. > > It's like step 2 magically covers the end game. But of course it doesn't. That's not at all the case with firewalld. 2 ouf of 4 of the concerns that led to firewalld being postponed in F17 were server/enterprise-related, and AFAIK are now resolved. Yes, the documentation is still not great, but that's something that can realistically be improved before GA. > I'm not against progress. The static firewall scripts don't cover a lot of > cases, and are particularly a pain with virt. But let's not jump ahead of > ourselves without at _least_ a plan. AFAIK the major things for our usual use cases are covered, at least going by the F17 criteria. Sure, there may be more things missing. Looking at hour original warning flag: Squeezing every last megabyte out of the running system for cloud is a really new thing that we haven't historically required. Sure, it would be great to make firewalld smaller (and rewriting firewalld to C is one of those things that have been promised a long time ago and never happened), but I don't really see that as a blocker. > So that's a little bit of a tangent, but, as outlined in the other thread, I > don't think firewalld is at a point where making it the default would be > a good for Fedora. Maybe it could be by F19. Reducing the dependency load is > just one part of that. > > In the meantime, I think we should make sure a newly installed system with > either firewalld or the old thing (now called iptables-service) has a > sensible firewall out of the box. (Same all-closed-but-ssh as we've had > forever, I expect.) We _cannot_ have two different firewalls equally supported, each with its own command line and API. Applications won't support both equally, documentation won't support both equally, QA won't cover both equally, users will be confused. We'd get the 8-years duplication of init.d/network vs. NetworkManager all over again, and I personally strongly want to avoid that (this was a third of my FESCo election platform). Mirek -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Tue, 2012-11-13 at 20:35 -0500, Matthew Miller wrote: > > like that. Someone else might want to advocate that, but I'm not. Since > > I now figured out to my own satisfaction that we can't just ditch > > firewalld from the minimal install, the focus in the context of this > > goal should be on reducing its dependency load. > > I don't think we can "ditch" it, but we can certainly revert. Let's keep the threads separate then, to avoid my poor tiny brain getting overheated. :) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Tue, Nov 13, 2012 at 04:52:47PM -0800, Adam Williamson wrote: > Well, sure, but you seem to be drifting the discussion a bit (or I did, > I've been out of town for the weekend, it gets confusing). As I recall > things, the basic goal we were working towards in this thread was the > reduction of the size of the minimal install. Sorry... I was drifting it into the other thread. > And I was suggesting taking firewalld out entirely as a way of achieving > that, until I realized that would be stupid. Well. I may be a little bit cynical on this, but I think the unsteered drift of this kind of thing goes like this: 1. Shiny new feature covers the desktop case, so let's make it the default in Fedora. 2. "Don't worry, if you have other needs, the old way still works". 3. So many things get updated to the new way that the old way isn't reasonable anymore, but *those other use cases never get consideration*. It's like step 2 magically covers the end game. But of course it doesn't. I'm not against progress. The static firewall scripts don't cover a lot of cases, and are particularly a pain with virt. But let's not jump ahead of ourselves without at _least_ a plan. So that's a little bit of a tangent, but, as outlined in the other thread, I don't think firewalld is at a point where making it the default would be a good for Fedora. Maybe it could be by F19. Reducing the dependency load is just one part of that. In the meantime, I think we should make sure a newly installed system with either firewalld or the old thing (now called iptables-service) has a sensible firewall out of the box. (Same all-closed-but-ssh as we've had forever, I expect.) > like that. Someone else might want to advocate that, but I'm not. Since > I now figured out to my own satisfaction that we can't just ditch > firewalld from the minimal install, the focus in the context of this > goal should be on reducing its dependency load. I don't think we can "ditch" it, but we can certainly revert. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Tue, 2012-11-13 at 19:44 -0500, Matthew Miller wrote: > On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote: > > > > Well with firewalld not installed and no iptables configs.. I would > > > > believe that the default would be everything open... unless some other > > > This is indeed the case. > > And that's clearly not what we want. I thought it kind of went without > > saying both that this would be the consequence of simply dropping > > firewalld from the default install entirely, and that this would not be > > acceptable :) > > Agreed. *Particularly* if Firewalld is the default but does not nicely cover > all needs. In the ideal world, one codebase would cover everything for all > of Fedora. I don't think we're ready for that for F18, even if we do go > ahead with making it the default, so we need to make sure that the fallback > position is secure. Well, sure, but you seem to be drifting the discussion a bit (or I did, I've been out of town for the weekend, it gets confusing). As I recall things, the basic goal we were working towards in this thread was the reduction of the size of the minimal install. And I was suggesting taking firewalld out entirely as a way of achieving that, until I realized that would be stupid. I don't think that maintaining iptables/s-c-f forever as a 'lightweight alternative' to firewalld is the way to go, here. I'm not advocating that we put iptables in @core and firewalld in @standard, or anything like that. Someone else might want to advocate that, but I'm not. Since I now figured out to my own satisfaction that we can't just ditch firewalld from the minimal install, the focus in the context of this goal should be on reducing its dependency load. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote: > > > Well with firewalld not installed and no iptables configs.. I would > > > believe that the default would be everything open... unless some other > > This is indeed the case. > And that's clearly not what we want. I thought it kind of went without > saying both that this would be the consequence of simply dropping > firewalld from the default install entirely, and that this would not be > acceptable :) Agreed. *Particularly* if Firewalld is the default but does not nicely cover all needs. In the ideal world, one codebase would cover everything for all of Fedora. I don't think we're ready for that for F18, even if we do go ahead with making it the default, so we need to make sure that the fallback position is secure. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Sat, 2012-11-10 at 14:40 -0500, Matthew Miller wrote: > On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote: > > > is entirely irrelevant. To achieve the above, we don't need to make sure > > > that the default configuration leaves port 22 open when firewalld is > > > installed, but that the default configuration leaves port 22 open when > > > firewalld is *not* installed. D'oh. > > Well with firewalld not installed and no iptables configs.. I would > > believe that the default would be everything open... unless some other > > This is indeed the case. And that's clearly not what we want. I thought it kind of went without saying both that this would be the consequence of simply dropping firewalld from the default install entirely, and that this would not be acceptable :) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote: > > is entirely irrelevant. To achieve the above, we don't need to make sure > > that the default configuration leaves port 22 open when firewalld is > > installed, but that the default configuration leaves port 22 open when > > firewalld is *not* installed. D'oh. > Well with firewalld not installed and no iptables configs.. I would > believe that the default would be everything open... unless some other This is indeed the case. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On 9 November 2012 18:46, Adam Williamson wrote: > On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote: >> On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote: >> > it maybe doesn't actually need to be). So perhaps we should change >> > firewalld to default to opening port 22. >> >> +1, even having read the rest of this message. >> >> >> Same with iptables if firewalld is not installed by default. > > Somehow it took me 45 minutes to notice the giant logic fail in my > thinking: if what we're trying to achieve is 'don't install firewalld in > a minimal install', obviously firewalld's default firewall configuration > is entirely irrelevant. To achieve the above, we don't need to make sure > that the default configuration leaves port 22 open when firewalld is > installed, but that the default configuration leaves port 22 open when > firewalld is *not* installed. D'oh. Well with firewalld not installed and no iptables configs.. I would believe that the default would be everything open... unless some other program is there to set some defaults. -- Stephen J Smoogen. "Don't derail a useful feature for the 99% because you're not in it." Linus Torvalds "Years ago my mother used to say to me,... Elwood, you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote: > On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote: > > it maybe doesn't actually need to be). So perhaps we should change > > firewalld to default to opening port 22. > > +1, even having read the rest of this message. > > > Same with iptables if firewalld is not installed by default. Somehow it took me 45 minutes to notice the giant logic fail in my thinking: if what we're trying to achieve is 'don't install firewalld in a minimal install', obviously firewalld's default firewall configuration is entirely irrelevant. To achieve the above, we don't need to make sure that the default configuration leaves port 22 open when firewalld is installed, but that the default configuration leaves port 22 open when firewalld is *not* installed. D'oh. We can still not bother poking the firewall configuration by default in anaconda if firewalld's package default leaves port 22 open and firewalld is being installed, which would still be a valuable simplification of what anaconda has to do and is still a sensible change, but obviously, we can't use that as a reason not to install firewalld in a minimal install. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Setting the default firewall configuration (was Re: Attention, dependency fighters)
On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote: > it maybe doesn't actually need to be). So perhaps we should change > firewalld to default to opening port 22. +1, even having read the rest of this message. Same with iptables if firewalld is not installed by default. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
