Attachment 574546 Details for Bug 809159 – make firewalld less developer-centric, proofread and add some examples

[patch] make firewalld less developer-centric, proofread and add some examples

0001-make-firewalld-less-developer-centric-proofread-and-.patch (text/plain), 7.02 KB, created by T.C. Hollingsworth on 2012-04-02 15:59:21 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: T.C. Hollingsworth

Created: 2012-04-02 15:59:21 UTC

Size: 7.02 KB

patch

obsolete

>From 84b387005d799394b708c4c02f7e703630745d48 Mon Sep 17 00:00:00 2001
>From: "T.C. Hollingsworth" <tchollingsworth@gmail.com>
>Date: Mon, 2 Apr 2012 08:55:39 -0700
>Subject: [PATCH] make firewalld less developer-centric, proofread and add
> some examples
>
>---
> en-US/Security.xml |   79 ++++++++++++++++++++++++----------------------------
> 1 file changed, 37 insertions(+), 42 deletions(-)
>
>diff --git a/en-US/Security.xml b/en-US/Security.xml
>index 87e6c6f..bc82303 100644
>--- a/en-US/Security.xml
>+++ b/en-US/Security.xml
>@@ -64,32 +64,31 @@
>           With Fedora 15 the dynamic firewall with 
>           <application>firewalld</application> was introduced with the 
>           proof of concept implementation in Python as an optional 
>-          component. The purpose of this feature request is to make 
>-          <application>firewalld</application> the default firewall 
>-          solution for Fedora 17.
>+          component. <application>firewalld</application> is now the default
>+          firewall solution for Fedora 17.
>       </para>
>       <para>
>           The dynamic firewall mode with 
>-          <application>firewalld</application> will make it possible to
>+          <application>firewalld</application> makes it possible to
>            change firewall settings without the need to restart the
>            firewall and will make persistent connections possible. This 
>-           is for example very useful for services, that need to add 
>-           additional firewall rules. <application>libvirtd</application> 
>-           is one of them and also <application>openvpn</application> in 
>-           the future. With the static firewall model these rules are lost 
>-           if the firewall gets modified or restarted. The firewall daemon 
>+           is, for example, very useful for services that need to add
>+           additional firewall rules, like <application>libvirtd</application>
>+           and also <application>openvpn</application> in
>+           the future. With the static firewall model, these rules were lost
>+           when the firewall was modified or restarted. The firewall daemon
>            holds the current configuration internally and is able to 
>            modify the firewall without the need to recreate the complete 
>            firewall configuration; it is also able to restore the 
>-           configuration in a service restart and reload case. Another use
>+           configuration when a service is restarted or reloaded. Another use
>            case for the dynamic firewall mode is printer discovery. For this 
>-           the discovery program will be started locally that sends out a 
>+           a discovery program will be started locally that sends out a
>            broadcast message. It will most likely get an answer from an 
>-           unknown address (the new printer). This answer will be filtered 
>-           by the firewall, because the answer is not related to the 
>-           broadcast and the port of the program that was sending out the 
>-           message is dynamic and therefore a fixed rule can not be created 
>-           for this. With the dynamic firewall mode a time limited rule 
>+           unknown address (the new printer). This answer would normally be
>+           filtered by the firewall, because the answer is not related to the
>+           broadcast and the port of the program that was sending out the
>+           message is dynamic. Therefore, a fixed rule can not be created
>+           for this. With the dynamic firewall mode, a time limited rule 
>            could be requested by the discovery program to allow the receival
>            of the answer. 
>      </para>
>@@ -99,13 +98,7 @@
> 	 <para>
> 	   The <application>iptables</application> and
> 	   <application>ip6tables</application> services will not be
>-	   enabled by default anymore. The required changes in the
>-	   init scripts are
>-	   simple. <application>system-config-firewall</application>
>-	   will not be installed by default anymore, but
>-	   <application>firewalld</application> with the user land
>-	   tools will be installed by default. The needed changes in
>-	   comps are simple.
>+	   enabled by default anymore.
> 	 </para>
>        </important>
>      </para>
>@@ -118,58 +111,60 @@
>          <application>gnome printer settings</application>.
>      </para>
>      <para>
>-         An explicit transition is planned after Fedora 18 with dropping
>+         An explicit transition is planned after Fedora 18, dropping
>          support for the static firewall with system-config-firewal/lokkit.
>          A migration from the static firewall model will be needed then.
>      </para>
>         <itemizedlist mark='bullet'>
>-            <title>How to test</title>
>+            <title>Using <application>firewalld</application> from the command
>+                    line</title>
>             <listitem>
>                 <para>
>-                    Install <application>firewalld</application> and 
>-                    <application>firewall-applet</application>
>-                </para>
>-            </listitem>
>-            <listitem>
>-                <para>
>-                    Start the <application>firewalld</application> service 
>+                Use firewall-cmd to enable, for example,
>+                <application>ssh</application>:
>+<screen>
>+# firewall-cmd --add --service=ssh
>+</screen>
>                 </para>
>             </listitem>
>             <listitem>
>                 <para>
>-                    Start the tray applet 
>-                    <application>firewall-applet</application>
>+                Enable <application>samba</application> for 10 seconds: 
>+<screen>
>+# firewall-cmd --add --service=samba --timeout=10
>+</screen>
>                 </para>
>             </listitem>
>             <listitem>
>                 <para>
>-                Use firewall-cmd to enable for example ssh: 
>+                Enable <application>ipp-client</application>: 
> <screen>
>-# firewall-cmd --add --service=ssh
>+# firewall-cmd --add --service=ipp-client
> </screen>
>                 </para>
>             </listitem>
>             <listitem>
>                 <para>
>-                Enable <application>samba</application> for 10 seconds: 
>+                Disable <application>ipp-client</application>: 
> <screen>
>-# firewall-cmd --add --service=samba --timeout=10
>+# firewall-cmd --remove --service=ipp-client
> </screen>
>                 </para>
>             </listitem>
>             <listitem>
>                 <para>
>-                Enable <application>ipp-client</application>: 
>+                    Enable a range of ports (5900-5920 over TCP in this
>+                    example):
> <screen>
>-# firewall-cmd --add --service=ipp-client
>+# firewall-cmd --add --port=5900-5920:tcp
> </screen>
>                 </para>
>             </listitem>
>             <listitem>
>                 <para>
>-                Disable <application>ipp-client</application>: 
>+                    Disable a specific port (8080 in this example):
> <screen>
>-# firewall-cmd --remove --service=ipp-client
>+# firewall-cmd --remove --port=8080:tcp
> </screen>
>                 </para>
>             </listitem>
>-- 
>1.7.9.3
>

Actions: View | Diff

Attachments on bug 809159: 574546 | 574552 | 574553 | 574554 | 574556