The plan at http://fedoraproject.org/wiki/Features/firewalld-default is for FirewallD to be the default for F18, but for the static firewall with system-config-firewal/lokkit to be supported at least through F19, with a plan for conversion after that.
Anaconda has been changed over to use the new system entirely. We need to have a fallback when firewalld is not available.
There are a number of approaches to take here:
1) Write some agnostic wrapper that calls either lokkit or firewall-offline-cmd, or else extend lokkit to *be* that wrapper.
2) Put a kludge into the code so lokkit will be called if firewall-offline-cmd is not found.
3) If firewalld isn't found, log a warning but continue, allowing users to set up the system statically by hand if need be. (And document this in the release notes!)
#1 seems best but too much work without further F18 delay;
#2 is ugly but but nicer for users than #3; and
#3 would be the least effort and therefore is probably the best choice at this point.
See also bug #884878 for same code in livecd-tools, used by appliance creator and friends.
FirewallD author suggests that the current correct behavior is to use lokkit and firewalld will handle the conversion if installed.
... and if it's not installed, there will be no active firewall?
(In reply to comment #3)
> ... and if it's not installed, there will be no active firewall?
We've still got the old scripts in the "iptables-services" package.
Which will never be installed, except by explicit request. To be clear, what I'm referring to here is that right now the changes proposed here change it from always having a firewall of some sort active, to having *none* in the minimal install. This is a regression from prior releases, and putting iptables-services back in the minimal install is likely to make it *more* confusing.
Created attachment 661709 [details]
revert to lokkit patch
Bill: You are right. This is indeed a regression.
After thinking about this a bit more, I think that the patch in comment 6 should not get applied. Not having a firewall in minimal is not good. Using different firewalls in minimal and other installations is also not good.
I would prefer to have firewalld also in minimal and to fix pygobject3 to reduce the requirements.
It would have been nice to have a plan for this from the beginning, but that's water under the bridge. I'm not particularly excited about any of the options at this point, but making the feature go from the accepted make-it-default to much more controversial mandatory just because we hit a release deadline seems like an end-run around the process.
But, that said: it's my understanding that if the systemd unit for FirewallD has "Conflicts=iptables.service" and "After=iptables.service", they can both be installed and firewalld will take over from the former once started. So I don't think that's so bad, especially if, as Thomas says, FirewallD will import/inherit the traditional configuration.
Firewalld has a tool to convert these settings. It is not doing this automatically.
Since the pygobject3 dependency problem has been fixed, this bug should be closed and the patch should be reverted to have a firewall even in minimal installations. See FESCo ticket 973.
This patch was never applied, so closing. Thanks!