Bug 1045711

Summary: [RFE] Shorewall and Shorewall6 should be the DEFAULT firewall manager in Fedora
Product: [Fedora] Fedora Reporter: Răzvan Sandu <rsandu2004>
Component: distributionAssignee: Václav Pavlín <vpavlin>
Status: CLOSED CANTFIX QA Contact: Radek Vokál <rvokal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dennis, jpopelka, twoerner, vpavlin
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-04 13:57:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Răzvan Sandu 2013-12-21 11:43:12 UTC 
Description of problem:


Shorewall and Shorewall6 (http://shorewall.net) are good-quality, mature and well-documented firewall managers, providing a high-level way of configuring firewalls on top of iptables and ip6tables.

Unlike the current Fedora solution (firewalld), Shorewall is CROS-DISTRO (the vanilla version is already packaged for many GNU/Linux distros and flavours, on both Red Hat and Debian families).

shorewall, shorewall6 and shorewall-init are already packaged in EPEL.

IMHO, Shorewall ans Shorewall6 should be the DEFAULT firewall manager in Fedora, RHEL and CentOS, since it will minimize the work of writing good-quality firewalls in various real life scenarios, including "cut & paste" firewall rules from a distro to another.

Eventually, work for firewalld and Shorewall should converge.

Răzvan
Comment 1 Thomas Woerner 2014-01-08 10:35:08 UTC 
A comment form the firewalld maintainer:

Shorewall and Shorewall6 are very powerful firewall configuration tools, indeed. But they are very complicated to use. Not only but especially for users that do not know a lot about firewalls, scripts and the internals of ip*tables and netfilter.

firewalld is handling IPv4, IPv6 and Bridges in one tool. It communicates with NetworkManager and is notified of interface or connection changes and notifies it if there are changes in the firewall (configuration, start, stop, restart, reload, ...). libvirt is also using firewalld if it is active and also uses these notifications. fail2ban is now also able to use firewalld directly and this will extend also in the near future. system-config-printer is also using firewalld.

You can simply install the firewall solution you want to use at installation time (kickstart, ..) or later on. But you will loose the integration with other projects.

You are welcome in helping to extend firewalld.
Comment 4 Václav Pavlín 2014-08-04 13:57:48 UTC 
I agree with reasoning in Comment #1. Also this is not something we should decide here - I believe it's a good candidate for FESCo ticket if that's really important for you to have shorwall as default. WRT previous sentence, I am closing this as  CANTFIX. Feel free to reopen if you feel there should be reconsideration.