communication regarding the move to firewalld

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

communication regarding the move to firewalld

nicholas cunliffe
Information appears informally regarding the move: suggestions of
susefirewall 'stopping working correctly' talk of firewalld
implementation not being complete. yast control now tied to firewalld
even though susefirewall still being in use. For those of us who are
not experts, the information is confusing. There are many threads on
the forums expressing confusion, rather than explanation and facts.

i think the move to firewalld should be announced and communicated,
with guidance on timing and setup where possible.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: communication regarding the move to firewalld

Peter Suetterlin-2
nicholas cunliffe wrote:
> Information appears informally regarding the move: suggestions of
> susefirewall 'stopping working correctly' talk of firewalld
> implementation not being complete. yast control now tied to firewalld
> even though susefirewall still being in use. For those of us who are
> not experts, the information is confusing. There are many threads on
> the forums expressing confusion, rather than explanation and facts.
>
> i think the move to firewalld should be announced and communicated,
> with guidance on timing and setup where possible.

Absolutely.

I just installed the package on my TW laptop, to have a look at things.
So far I'm not too impressed I have to say.  SuSEfirewall2 had a nice text file
with all the configuration options and hints for various things like
masquerading, port forwarding etc., which I use a lot on our server.

On quick look I couldn't find something similar for firewalld.  Instead a lot of
xml files :(( So I had a look at the conversion script,
susefirewall2-to-firewalld.

It suggested running it (dry-run), to see what happens.  It claimed it would
only stop and restart SFW2.  It did (of course) also stop fail2ban, but did not
restart it afterwards...

I also noticed that using firewalld had caused the load of >30 new kernel modules...

At least fail2ban seems to support firewalld, too.
But I do fear this change will cause quite some work :o
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: communication regarding the move to firewalld

Andrei Borzenkov
31.01.2018 13:21, Peter Suetterlin пишет:
>
> On quick look I couldn't find something similar for firewalld.  Instead a lot of
> xml files :(( So I had a look at the conversion script,
> susefirewall2-to-firewalld.
>
> It suggested running it (dry-run), to see what happens.  It claimed it would
> only stop and restart SFW2.  It did (of course) also stop fail2ban, but did not
> restart it afterwards...
>

I do not think it is something script does intentionally or that script
even knows about fail2ban service at all. fail2ban service is configured
to be PartOf SuSEfirewall2 service. So when script stopped SFW2 it
caused fail2ban to be also stopped. But PartOf only applies to stopping,
so starting SFW2 did not pull fail2ban.

Check what script does. May be it could use restart instead of
stop/start; restart should also restart all dependent units that are
PartOf unit being restarted.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: communication regarding the move to firewalld

Peter Suetterlin-2
Andrei Borzenkov wrote:

> 31.01.2018 13:21, Peter Suetterlin пишет:
> >
> > On quick look I couldn't find something similar for firewalld.  Instead a lot of
> > xml files :(( So I had a look at the conversion script,
> > susefirewall2-to-firewalld.
> >
> > It suggested running it (dry-run), to see what happens.  It claimed it would
> > only stop and restart SFW2.  It did (of course) also stop fail2ban, but did not
> > restart it afterwards...
> >
>
> I do not think it is something script does intentionally or that script
> even knows about fail2ban service at all. fail2ban service is configured
> to be PartOf SuSEfirewall2 service. So when script stopped SFW2 it
> caused fail2ban to be also stopped. But PartOf only applies to stopping,
> so starting SFW2 did not pull fail2ban.

You're of course right!
And I mostly wrote it to make other readers aware of that.  Best solution (IMHO)
would be just to mention this also in the start-up info of the script, that
dependent services like f2b might need manual restart

> Check what script does. May be it could use restart instead of
> stop/start; restart should also restart all dependent units that are
> PartOf unit being restarted.

Shame on me - I wasn't even aware of that difference :o
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: communication regarding the move to firewalld

Axel Braun-2
> I'm not sure if this should be reported as a bug, or if there is a fix in
> place or if it is even necessary, but with all of my Tumbleweed upgrades,
> the
> Firewalld module was added in Yast but the Firewalld service was not active/
> enabled and the SuSEFirewall2 was still active/enabled. Not a big deal for a
> user to make the fix, so long as they are informed. I added a Troubleshoot
> section to the wiki concerning this issue.
>
> https://en.opensuse.org/Firewalld

Maybe I missed it in the whole thread, but is there a migration path from SFW2
to firewalld? Or how does one get all the settings fromhere to there?

Thanks
Axel


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]