Bug 960645 - Review Request: sanewall - A powerful firewall builder
Summary: Review Request: sanewall - A powerful firewall builder
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Björn 'besser82' Esser
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: NotReady
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-07 14:57 UTC by Christopher Meng
Modified: 2014-08-11 03:04 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-08-11 03:04:44 UTC


Attachments (Terms of Use)

Description Christopher Meng 2013-05-07 14:57:23 UTC
Spec URL: http://cicku.me/sanewall.spec
SRPM URL: http://cicku.me/sanewall-1.1.1-1.fc20.src.rpm

Description: Sanewall is a firewall builder for Linux which uses an elegant language 
abstracted to just the right level. This makes it powerful as well as 
easy to use, audit, and understand. It allows you to create very 
readable configurations even for complex stateful firewalls.

Sanewall can be used for almost any firewall need, including:

control of any number of internal/external/virtual interfaces
control of any combination of routed traffic
setting up DMZ routers and servers
all kinds of NAT
providing strong protection (flooding, spoofing, etc.)
transparent caches
source MAC verification
blacklists, whitelists

Fedora Account System Username: cicku

Comment 1 Christopher Meng 2013-05-14 08:31:38 UTC
New Upstream Version:

New SPEC URL:http://cicku.me/sanewall.spec

New SRPM URL:http://cicku.me/sanewall-1.1.2-1.fc20.src.rpm

Comment 2 Christopher Meng 2013-05-18 05:44:27 UTC
Note this RPM currently is not for EPEL(thus RHEL).

Comment 3 Susi Lehtola 2013-07-31 13:40:55 UTC
IMO this package could replace firehol in Fedora; the last release of Firehol was 5 years ago and it needs systemd support and so on. If this package gains EPEL support, I'll be happy to review it and mark firehol dead.

**

The
 Conflicts: firehol
is incorrect - the packages can peacefully coexist on a system.

**

What's the source for SOURCE1? Has the file been sent upstream?

**

The list in the %description should IMHO be written in the form

Sanewall can be used for almost any firewall need, including:
* control of any number of internal/external/virtual interfaces
* control of any combination of routed traffic
* setting up DMZ routers and servers
* all kinds of NAT
* providing strong protection (flooding, spoofing, etc.)
* transparent caches
* source MAC verification
* blacklists, whitelists

Comment 4 Christopher Meng 2013-07-31 14:10:56 UTC
Thanks Susi, you can reset the assignee to you, I've contacted Douglas. I think he is willing to someone can help do a review. 

It's too late today, I'll update the package to the latest version and check the issues you've mentioned tomorrow. 

Just a thought before sleep, you mean I can add obsolete tag to replace the original firehol? If so I think it's great. (like mariadb and mysql?)

Comment 5 Susi Lehtola 2013-07-31 14:21:12 UTC
(In reply to Christopher Meng from comment #4)
> Just a thought before sleep, you mean I can add obsolete tag to replace the
> original firehol? If so I think it's great. (like mariadb and mysql?)

Yes. But you'll also need to add a Provides, because sanewall really is a replacement for FireHOL.

Comment 6 Susi Lehtola 2013-08-01 17:13:34 UTC
Actually, the Obsoletes is out of the question, since sanewall isn't a drop-in replacement; e.g. the config file is in a different place.

Comment 7 Christopher Meng 2013-08-02 02:03:46 UTC
Source1 is written by myself, sent to upstream, but upstream hasn't decided to support this new toy.

I've fixed all your suggestions.

Spec URL: http://cicku.me/sanewall.spec
SRPM URL: http://cicku.me/sanewall-1.1.4-1.fc20.src.rpm

Comment 8 Susi Lehtola 2013-08-02 09:35:40 UTC
EPEL support is still missing.

Comment 9 Susi Lehtola 2013-08-02 09:38:22 UTC
And the package doesn't compile.

Comment 10 Susi Lehtola 2013-08-07 18:06:26 UTC
Any progress?

Comment 11 Susi Lehtola 2013-08-12 15:18:37 UTC
Second ping Christopher.

Comment 12 Christopher Meng 2013-08-13 00:18:59 UTC
In that days 31/07~02/08, SSH connection was disturbed.

I'm not sure if you found the SRPM was corrupt or whatever other reasons, all packages submitted can be built on my Rawhide machine without problems.

I've reuploaded the same revision to the URL mentioned in comment 7.

I don't maintain one spec for various OS, I always create a new one for the el branch.

Comment 13 Susi Lehtola 2013-08-13 08:33:43 UTC
(In reply to Christopher Meng from comment #12)
> I'm not sure if you found the SRPM was corrupt or whatever other reasons,
> all packages submitted can be built on my Rawhide machine without problems.

Still does not build in mock.

Comment 14 Christopher Meng 2013-08-13 08:44:52 UTC
(In reply to Susi Lehtola from comment #13)
> (In reply to Christopher Meng from comment #12)
> > I'm not sure if you found the SRPM was corrupt or whatever other reasons,
> > all packages submitted can be built on my Rawhide machine without problems.
> 
> Still does not build in mock.

Hi Susi, any logs available? 

This will help us. 

I'm outside now, the next time I can use computer is 15 hrs later...

Comment 15 Susi Lehtola 2013-08-13 08:51:56 UTC
(In reply to Christopher Meng from comment #14)
> > Still does not build in mock.
> 
> Hi Susi, any logs available? 
> 
> This will help us. 

I'm pretty sure there is more than a single problem. Now it fails due to a missing BR: hostname.

Before submitting a review *do* check that the package builds in koji, or at least for one architecture and distribution in mock.

Not doing so just incurs that the reviewer needs to be spending time to waste.

Comment 16 Christopher Meng 2013-08-15 09:58:13 UTC
(In reply to Susi Lehtola from comment #15)
> (In reply to Christopher Meng from comment #14)
> > > Still does not build in mock.
> > 
> > Hi Susi, any logs available? 
> > 
> > This will help us. 
> 
> I'm pretty sure there is more than a single problem. Now it fails due to a
> missing BR: hostname.
> 
> Before submitting a review *do* check that the package builds in koji, or at
> least for one architecture and distribution in mock.
> 
> Not doing so just incurs that the reviewer needs to be spending time to
> waste.

Sorry, added missing hostname/kmod/iptables/iproute/procps-ng BRs.

New SPEC URL:http://cicku.me/sanewall.spec
New SRPM URL:http://cicku.me/sanewall-1.1.4-2.fc20.src.rpm

Koji success: http://koji.fedoraproject.org/koji/taskinfo?taskID=5818302

Comment 17 Susi Lehtola 2013-08-15 10:41:43 UTC
Fails to build in F19.

error: Installed (but unpackaged) file(s) found:
   /usr/share/doc/sanewall/examples/adblock.sh
   /usr/share/doc/sanewall/examples/client-all.conf
   /usr/share/doc/sanewall/examples/lan-gateway.conf
   /usr/share/doc/sanewall/examples/office.conf
   /usr/share/doc/sanewall/examples/server-dmz.conf
   /usr/share/doc/sanewall/html/sanewall-manual.css
   /usr/share/doc/sanewall/html/sanewall-manual.html
   /usr/share/doc/sanewall/html/sanewall-services.html
   /usr/share/doc/sanewall/sanewall-manual.pdf
    Installed (but unpackaged) file(s) found:
   /usr/share/doc/sanewall/examples/adblock.sh
   /usr/share/doc/sanewall/examples/client-all.conf
   /usr/share/doc/sanewall/examples/lan-gateway.conf
   /usr/share/doc/sanewall/examples/office.conf
   /usr/share/doc/sanewall/examples/server-dmz.conf
   /usr/share/doc/sanewall/html/sanewall-manual.css
   /usr/share/doc/sanewall/html/sanewall-manual.html
   /usr/share/doc/sanewall/html/sanewall-services.html
   /usr/share/doc/sanewall/sanewall-manual.pdf
Child return code was: 1

**

I still would like to see the EL spec files as well, since SysV init scripts are handled in a different way. I have no idea why you wouldn't want to use a unified spec file, since the differences can be handled with a few lines of %if's.

Comment 18 Susi Lehtola 2013-09-04 14:27:36 UTC
Ping Christopher.

Comment 19 Christopher Meng 2013-09-04 22:44:36 UTC
Hi Susi I'm busy these days. 

Actually I just need to write a init file now, but it takes time.

Comment 20 Susi Lehtola 2013-09-04 23:07:21 UTC
So maintaining hundreds of packages is not a walk in the park eh?


There should be an init file already. And you can always adapt the one from firehol.

Comment 21 Christopher Meng 2013-09-04 23:21:31 UTC
(In reply to Susi Lehtola from comment #20)
> So maintaining hundreds of packages is not a walk in the park eh?


No, you're thinking too overhead. 

> 
> There should be an init file already. And you can always adapt the one from
> firehol.

The reason why I can't go ahead is that this init file included is designed for Debian systems, in order to follow the guideline I have to rewrite a Fedora one. 

BTW there also have bugs in upstream's init file.

Comment 22 Björn 'besser82' Esser 2013-10-19 09:45:55 UTC
taken  ;)

Any news on this, yet?

Comment 23 Björn 'besser82' Esser 2013-10-19 11:42:19 UTC
Both links give me 404...

Comment 24 Christopher Meng 2013-10-19 15:12:55 UTC
(In reply to Björn "besser82" Esser from comment #23)
> Both links give me 404...

DO NOT DISTURB ME NOW.

Comment 25 Björn 'besser82' Esser 2013-10-19 15:23:53 UTC
(In reply to Christopher Meng from comment #24)
> (In reply to Björn "besser82" Esser from comment #23)
> > Both links give me 404...
> 
> DO NOT DISTURB ME NOW.

WTF???  I just wanted to review this and the links to psec/srpm gave me a 404.  What's your f*****g problem?  What did I do wrong?

Comment 26 Susi Lehtola 2013-11-26 16:57:33 UTC
Ping.

Comment 27 Christopher Meng 2013-11-28 09:32:58 UTC
I will finish this soon.

BTW, I found that firehol is not dead:

http://firehol.org/download/latest/

Maybe you need to update it and I remove the provides line in sanewall spec?

Comment 28 Susi Lehtola 2013-11-28 11:23:04 UTC
(In reply to Christopher Meng from comment #27)
> BTW, I found that firehol is not dead:
> http://firehol.org/download/latest/

Well they sure took a long hiatus. And also changed the location of the tarball, so it was not picked up by release monitoring.

> Maybe you need to update it and I remove the provides line in sanewall spec?

OK.

Comment 29 Maarten Bremer 2014-08-09 22:49:24 UTC
Firehol just released 2.0.0-RC1, largely based on the Sanewall fork. 

I would suggest to upgrade Firehol to version 2 and abandon Sanewall. I added a seperate bugreport for this, see https://bugzilla.redhat.com/show_bug.cgi?id=1128387

Comment 30 Christopher Meng 2014-08-11 03:04:44 UTC
Upstream will stop the development and merge the changes back to the firehol.

Glad to see the resurrection of the firehol.


Note You need to log in before you can comment on or make changes to this bug.