Bug 885807 - firewalld accidentally made mandatory; needs to be optional for f18 and f19
Summary: firewalld accidentally made mandatory; needs to be optional for f18 and f19
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 18
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: TestBlocker
Depends On: 815540
Blocks: F18-accepted, F18FinalFreezeExcept 835469 835471 1032605
TreeView+ depends on / blocked
 
Reported: 2012-12-10 17:04 UTC by Matthew Miller
Modified: 2013-11-20 13:04 UTC (History)
16 users (show)

(edit)
Clone Of: 815540
(edit)
Last Closed: 2012-12-14 13:35:37 UTC


Attachments (Terms of Use)
revert to lokkit patch (4.12 KB, patch)
2012-12-11 22:09 UTC, Brian Lane
no flags Details | Diff

Description Matthew Miller 2012-12-10 17:04:23 UTC
The plan at http://fedoraproject.org/wiki/Features/firewalld-default is for FirewallD to be the default for F18, but for the static firewall with system-config-firewal/lokkit to be supported at least through F19, with a plan for conversion after that.

Anaconda has been changed over to use the new system entirely. We need to have a fallback when firewalld is not available.

There are a number of approaches to take here:

1) Write some agnostic wrapper that calls either lokkit or firewall-offline-cmd, or else extend lokkit to *be* that wrapper.

2) Put a kludge into the code so lokkit will be called if firewall-offline-cmd is not found.

3) If firewalld isn't found, log a warning but continue, allowing users to set up the system statically by hand if need be. (And document this in the release notes!)


#1 seems best but too much work without further F18 delay;

#2 is ugly but but nicer for users than #3; and

#3 would be the least effort and therefore is probably the best choice at this point.

Comment 1 Matthew Miller 2012-12-10 17:06:55 UTC
See also bug #884878 for same code in livecd-tools, used by appliance creator and friends.

Comment 2 Matthew Miller 2012-12-11 20:44:24 UTC
https://fedorahosted.org/fesco/ticket/973#comment:21

FirewallD author suggests that the current correct behavior is to use lokkit and firewalld will handle the conversion if installed.

Comment 3 Bill Nottingham 2012-12-11 20:47:50 UTC
... and if it's not installed, there will be no active firewall?

Comment 4 Matthew Miller 2012-12-11 21:39:03 UTC
(In reply to comment #3)
> ... and if it's not installed, there will be no active firewall?

We've still got the old scripts in the "iptables-services" package.

Comment 5 Bill Nottingham 2012-12-11 21:57:19 UTC
Which will never be installed, except by explicit request. To be clear, what I'm referring to here is that right now the changes proposed here change it from always having a firewall of some sort active, to having *none* in the minimal install. This is a regression from prior releases, and putting iptables-services back in the minimal install is likely to make it *more* confusing.

Comment 6 Brian Lane 2012-12-11 22:09:18 UTC
Created attachment 661709 [details]
revert to lokkit patch

Comment 7 Thomas Woerner 2012-12-12 11:27:08 UTC
Bill: You are right. This is indeed a regression.

After thinking about this a bit more, I think that the patch in comment 6 should not get applied. Not having a firewall in minimal is not good. Using different firewalls in minimal and other installations is also not good.

Comment 8 Thomas Woerner 2012-12-12 13:42:12 UTC
I would prefer to have firewalld also in minimal and to fix pygobject3 to reduce the requirements.

Comment 9 Matthew Miller 2012-12-12 15:21:25 UTC
It would have been nice to have a plan for this from the beginning, but that's water under the bridge. I'm not particularly excited about any of the options at this point, but making the feature go from the accepted make-it-default to much more controversial mandatory just because we hit a release deadline seems like an end-run around the process.

But, that said: it's my understanding that if the systemd unit for FirewallD has "Conflicts=iptables.service" and "After=iptables.service", they can both be installed and firewalld will take over from the former once started. So I don't think that's so bad, especially if, as Thomas says, FirewallD will import/inherit the traditional configuration.

Comment 10 Thomas Woerner 2012-12-12 15:41:03 UTC
Firewalld has a tool to convert these settings. It is not doing this automatically.

Comment 11 Thomas Woerner 2012-12-14 12:41:25 UTC
Since the pygobject3 dependency problem has been fixed, this bug should be closed and the patch should be reverted to have a firewall even in minimal installations. See FESCo ticket 973.

Comment 12 Brian Lane 2012-12-14 13:35:37 UTC
This patch was never applied, so closing. Thanks!


Note You need to log in before you can comment on or make changes to this bug.