1045711 – [RFE] Shorewall and Shorewall6 should be the DEFAULT firewall manager in Fedora

Bug 1045711 - [RFE] Shorewall and Shorewall6 should be the DEFAULT firewall manager in Fedora

Summary: [RFE] Shorewall and Shorewall6 should be the DEFAULT firewall manager in Fedora

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	distribution
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Václav Pavlín
QA Contact:	Radek Vokál
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-21 11:43 UTC by Răzvan Sandu
Modified:	2014-08-04 13:57 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-08-04 13:57:48 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Răzvan Sandu 2013-12-21 11:43:12 UTC

Description of problem:


Shorewall and Shorewall6 (http://shorewall.net) are good-quality, mature and well-documented firewall managers, providing a high-level way of configuring firewalls on top of iptables and ip6tables.

Unlike the current Fedora solution (firewalld), Shorewall is CROS-DISTRO (the vanilla version is already packaged for many GNU/Linux distros and flavours, on both Red Hat and Debian families).

shorewall, shorewall6 and shorewall-init are already packaged in EPEL.

IMHO, Shorewall ans Shorewall6 should be the DEFAULT firewall manager in Fedora, RHEL and CentOS, since it will minimize the work of writing good-quality firewalls in various real life scenarios, including "cut & paste" firewall rules from a distro to another.

Eventually, work for firewalld and Shorewall should converge.

Răzvan

Comment 1 Thomas Woerner 2014-01-08 10:35:08 UTC

A comment form the firewalld maintainer:

Shorewall and Shorewall6 are very powerful firewall configuration tools, indeed. But they are very complicated to use. Not only but especially for users that do not know a lot about firewalls, scripts and the internals of ip*tables and netfilter.

firewalld is handling IPv4, IPv6 and Bridges in one tool. It communicates with NetworkManager and is notified of interface or connection changes and notifies it if there are changes in the firewall (configuration, start, stop, restart, reload, ...). libvirt is also using firewalld if it is active and also uses these notifications. fail2ban is now also able to use firewalld directly and this will extend also in the near future. system-config-printer is also using firewalld.

You can simply install the firewall solution you want to use at installation time (kickstart, ..) or later on. But you will loose the integration with other projects.

You are welcome in helping to extend firewalld.

Comment 4 Václav Pavlín 2014-08-04 13:57:48 UTC

I agree with reasoning in Comment #1. Also this is not something we should decide here - I believe it's a good candidate for FESCo ticket if that's really important for you to have shorwall as default. WRT previous sentence, I am closing this as  CANTFIX. Feel free to reopen if you feel there should be reconsideration.

Note You need to log in before you can comment on or make changes to this bug.