Description of problem: fail2ban doesn't require shorewall to function, and in fact, as we ship it, it makes use of the Fedora firewall - installing an extra firewall which is the not used in the default configuration is a bit gratuitous and confusing to the user. Also, the Requires: tcpwrappers isn't needed unless the user decides to enable the tcpwrapper action (disabled by default)
Maybe the shorewall dependency can be factored out to another package fail2ban-shorewall which would contain /etc/fail2ban/action.d/shorewall.conf and depends on shorewall? What would be really helpful is /etc/fail2ban/jail.d where you can put small subconfigs, instead of having to merge it all together in jail.conf. This way also the jail.conf parts regarding shorewall could be put into the sub-package.
> What would be really helpful is /etc/fail2ban/jail.d where you can put small > subconfigs, instead of having to merge it all together in jail.conf. This way > also the jail.conf parts regarding shorewall could be put into the sub-package. I don't think this works with upstream fail2ban yet, but it is a good idea. Do you want to ask upstream to include *.d functionality in the next release?
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Is there any reason why this bug is _still_ not fixed? shorewall is definitely not used by the default configuration. This silly extra "Require" is the only reason why I have to build replacement RPMs for internal distribution of fail2ban. Havin g multiple firewall tools on one machine is crazy, at least as long as these don't share identical configuration files.
I'm putting this back to "rawhide".
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Would be nice if we could get some attention on this bug primarily due to its age. There are similar requests downstream for the EPEL packages, though the EPEL maintainer is waiting for Fedora to make this change first. Thank you.
Created attachment 351351 [details] Simple patch to remove the unnecessary requirement of shorewall
Created attachment 351352 [details] Patch to add a subpackage for shorewall config and dependency This is an alternative to patch 351351... depending on how the maintainer wishes to proceed.
I think this is just an EPEL bug, why not fix it in the EPEL cvs? I'd go with something like BJ's patch in comment #10. For anecdotal reference just comparing the use of fail2ban with iptables and shorewall by google hits it comes up with something like 1:4 (15,500:69,800), which means that a large portion of fail2ban users will expect shorewall support out of the bix and will be surprised to have to look for further subpackages, or to have to manually install some dependencies of fail2ban.
Re: EPEL — the Fedora package also has a hard-requirement of shorewall. Re: anecdotal reference — In that case, patch #351351 (don't split the package, but don't have a hard requirement) seems like the way to go.
Honestly, my only concern is with EPEL... but the changes make sense for both. If you consider that EPEL was created for *Enterprise Linux... it would be safe to assume that a SysAdmin installing fail2ban would know very well what they want and how they want to implement. Forcing the install of shorewall on a SysAdmin in the enterprise just seems rude. ;) For Fedora I can see your point as the audience would more than likely have less SysAdmins and more Users/Power Users. Either way... if you are installing fail2ban you probably also know how to do something like 'yum search shorewall'. If you go with something like my initial patch in comment #9, you can just throw in a few lines of comment into %{_sysconfdir}/fail2ban/action.d/shorewall.conf that let you know "hey, you probably need to install x, y, z packages via yum to enable shorewall support". Or the patch in comment #10, is obvious or understood that you need to install fail2ban-shorewall to enable shorewall support. Either way, thank you for giving this tracker some attention.
Can we please have this issue fixed for the upcoming Fedora 12 release? There are only a few days left until the beta development freeze. I don't really care which one of the proposed patches "wins" in the end. Re: comment #11: If just the "Requires:" for shorewall would be removed, the support for shorewall would still be there, and people using both fail2ban and shorewall will still be happy. But all the other who prefer different firewalling solutions, are not forced to install shorewall. Is there any _real_ reason why such a solution would not be acceptable to anyone?
> Can we please have this issue fixed for the upcoming Fedora 12 release? I thought the bug tended to be "fixed" only for EPEL, or not? And checking the pkgdb it mentions maxamillion as the maintainer. Is this user even in the Cc of this bug to be aware of the issue?
maxamillion, the maintainer of the EPEL package, said he was intent on following upstream (you/Fedora) and did not want to deviate from the Fedora packages.
Can we get a one word delete of at least 'shorewall please?
Moving back to rawhide again.
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle. Changing version to '13'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Can we have someone other than the maintainer fix this?
Anything going to happen here or should we just close it if nobody cares enough to fix it?
Since this is just the EPEL package and I don't maintain fail2ban for Fedora, I will be keeping it in line with Fedora proper. Please feel free to discuss this with the Fedora package maintainer.
(In reply to comment #23) > Since this is just the EPEL package and I don't maintain fail2ban for > Fedora, I will be keeping it in line with Fedora proper. Please feel free to > discuss this with the Fedora package maintainer. Fedora package has now dropped the requirements.