Michael Scherer writes:
> - a script with lots of iptables calls ( quite awful, slow and
> unauditable in practice as Reindl explained in another mail, and as I
> too often seen at customers deployment )
> - a script that run 1 command, iptables-restore < file. Which is
> equally as awful and u
Le jeudi 15 novembre 2012 à 09:06 -0800, Adam Williamson a écrit :
> On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
> >
> > Am 15.11.2012 13:33, schrieb Michael Scherer:
> > > Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
> > >> iptables rules are a long-established cros
Am 15.11.2012 19:58, schrieb Adam Williamson:
> I don't think anyone asked you to do any of those things. Fedora
> obviously does not have the power to replace iptables with firewalld on
> your router, so the question is not 'can you replace iptables with
> firewalld on everything in your network
On Thu, 2012-11-15 at 19:46 +0100, Reindl Harald wrote:
>
> Am 15.11.2012 19:37, schrieb Kevin Fenzi:
> >>> Have you actually _tried_? It's supposed to be as easy as
> >>> s/iptables/firewall-cmd --direct --passthrough ipv4/
> >>>
> >>> I don't know for a fact whether it is good enough. You seem
Am 15.11.2012 19:37, schrieb Kevin Fenzi:
>>> Have you actually _tried_? It's supposed to be as easy as
>>> s/iptables/firewall-cmd --direct --passthrough ipv4/
>>>
>>> I don't know for a fact whether it is good enough. You seem to
>>> have a script that could tell us.
>>
>> i posted a script r
On Thu, 15 Nov 2012 19:30:27 +0100
Reindl Harald wrote:
> Am 15.11.2012 19:27, schrieb Miloslav Trmač:
> > On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald
> > wrote:
> >> Am 15.11.2012 19:02, schrieb Miloslav Trmač:
> >>> It would be very helpful for judging the maturity/suitability of
> >>> firew
Am 15.11.2012 19:27, schrieb Miloslav Trmač:
> On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald wrote:
>> Am 15.11.2012 19:02, schrieb Miloslav Trmač:
>>> It would be very helpful for judging the maturity/suitability of
>>> firewalld if you could try converting your iptables script to
>>> firewall
On Thu, Nov 15, 2012 at 7:08 PM, Reindl Harald wrote:
> Am 15.11.2012 19:02, schrieb Miloslav Trmač:
>> It would be very helpful for judging the maturity/suitability of
>> firewalld if you could try converting your iptables script to
>> firewall-cmd --direct (which, at least I hope, should be poss
Am 15.11.2012 19:16, schrieb Miloslav Trmač:
> (as far as I understand the situation:) iptables as a kernel
> interface and a low-level command will exist, but applications will
> expect the existence of the firewalld D-Bus service (as opposed to the
> system-config-firewall D-Bus service, at le
Am 15.11.2012 19:02, schrieb Miloslav Trmač:
> On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald wrote:
>> Am 15.11.2012 18:06, schrieb Adam Williamson:
>>> Right. I hate to say it, but Harald is correct here: AFAIK, all those
>>> and other firewall configuration mechanisms were ultimately just
>>>
On Thu, Nov 15, 2012 at 10:10:43AM -0800, Adam Williamson wrote:
> Sure, but the background here was the 'replace vs. augment' question -
> is firewalld actually planned to replace iptables in the long run, or
> are we committed to maintaining iptables as an alternative mechanism? It
> sounds like
On Thu, Nov 15, 2012 at 7:10 PM, Adam Williamson wrote:
> On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote:
>> On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald
>> wrote:
>> > Am 15.11.2012 18:06, schrieb Adam Williamson:
>> >> Right. I hate to say it, but Harald is correct here: AFAIK, all
On Thu, 2012-11-15 at 19:02 +0100, Miloslav Trmač wrote:
> On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald wrote:
> > Am 15.11.2012 18:06, schrieb Adam Williamson:
> >> Right. I hate to say it, but Harald is correct here: AFAIK, all those
> >> and other firewall configuration mechanisms were ultima
On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald wrote:
> Am 15.11.2012 18:06, schrieb Adam Williamson:
>> Right. I hate to say it, but Harald is correct here: AFAIK, all those
>> and other firewall configuration mechanisms were ultimately just
>> UI/abstraction layers wrapped around iptables. They
Am 15.11.2012 18:06, schrieb Adam Williamson:
> On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
>>
>> Am 15.11.2012 13:33, schrieb Michael Scherer:
>>> Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
>>> offered several frontend, but IIRC, didn't use one by default
On Thu, 2012-11-15 at 14:48 +0100, Reindl Harald wrote:
>
> Am 15.11.2012 13:33, schrieb Michael Scherer:
> > Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
> >> iptables rules are a long-established cross-
> >> distribution interface
> >
> > Not really. For example, ubuntu use u
Am 15.11.2012 13:33, schrieb Michael Scherer:
> Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
>> iptables rules are a long-established cross-
>> distribution interface
>
> Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
> offered several frontend, but I
Le jeudi 15 novembre 2012 à 03:23 +0100, Kevin Kofler a écrit :
> iptables rules are a long-established cross-
> distribution interface
Not really. For example, ubuntu use ufw, mandriva used shorewall. Debian
offered several frontend, but IIRC, didn't use one by default.
And I have worked as fi
On Thu, Nov 15, 2012 at 3:23 AM, Kevin Kofler wrote:
> And what about the many system administrators using handwritten
> rules (see Harald Reindl's reply)?
There is a --direct option that is supposed to provide a
compatibility/escape mechanism with full iptables functionality (and
mostly same synt
Miloslav Trmač wrote:
> Looking at hour original warning flag: Squeezing every last megabyte
> out of the running system for cloud is a really new thing that we
> haven't historically required. Sure, it would be great to make
> firewalld smaller (and rewriting firewalld to C is one of those things
Am 14.11.2012 01:52, schrieb Adam Williamson:
> I don't think that maintaining iptables/s-c-f forever as a 'lightweight
> alternative' to firewalld is the way to go
IT IS the way to go!
not as default, not supported via GUI is OK
but iptables.service and "configuration" with shellscripts is wh
On Wed, Nov 14, 2012 at 11:34:56AM +0100, Miloslav Trmač wrote:
> AFAIK the major things for our usual use cases are covered, at least
> going by the F17 criteria. Sure, there may be more things missing.
Adam asked to keep those other things to the other thread, so I'll just
touch on the dependen
On Wed, Nov 14, 2012 at 2:35 AM, Matthew Miller
wrote:
> Well. I may be a little bit cynical on this, but I think the unsteered drift
> of this kind of thing goes like this:
>
> 1. Shiny new feature covers the desktop case, so let's make it the default
>in Fedora.
> 2. "Don't worry, if you hav
On Tue, 2012-11-13 at 20:35 -0500, Matthew Miller wrote:
> > like that. Someone else might want to advocate that, but I'm not. Since
> > I now figured out to my own satisfaction that we can't just ditch
> > firewalld from the minimal install, the focus in the context of this
> > goal should be on
On Tue, Nov 13, 2012 at 04:52:47PM -0800, Adam Williamson wrote:
> Well, sure, but you seem to be drifting the discussion a bit (or I did,
> I've been out of town for the weekend, it gets confusing). As I recall
> things, the basic goal we were working towards in this thread was the
> reduction of
On Tue, 2012-11-13 at 19:44 -0500, Matthew Miller wrote:
> On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
> > > > Well with firewalld not installed and no iptables configs.. I would
> > > > believe that the default would be everything open... unless some other
> > > This is indeed
On Tue, Nov 13, 2012 at 04:31:46PM -0800, Adam Williamson wrote:
> > > Well with firewalld not installed and no iptables configs.. I would
> > > believe that the default would be everything open... unless some other
> > This is indeed the case.
> And that's clearly not what we want. I thought it ki
On Sat, 2012-11-10 at 14:40 -0500, Matthew Miller wrote:
> On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote:
> > > is entirely irrelevant. To achieve the above, we don't need to make sure
> > > that the default configuration leaves port 22 open when firewalld is
> > > installed,
On Sat, Nov 10, 2012 at 11:15:31AM -0700, Stephen John Smoogen wrote:
> > is entirely irrelevant. To achieve the above, we don't need to make sure
> > that the default configuration leaves port 22 open when firewalld is
> > installed, but that the default configuration leaves port 22 open when
> >
On 9 November 2012 18:46, Adam Williamson wrote:
> On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote:
>> On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
>> > it maybe doesn't actually need to be). So perhaps we should change
>> > firewalld to default to opening port 22.
>>
>
On Fri, 2012-11-09 at 20:39 -0500, Matthew Miller wrote:
> On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
> > it maybe doesn't actually need to be). So perhaps we should change
> > firewalld to default to opening port 22.
>
> +1, even having read the rest of this message.
>
>
>
On Fri, Nov 09, 2012 at 03:24:02PM -0800, Adam Williamson wrote:
> it maybe doesn't actually need to be). So perhaps we should change
> firewalld to default to opening port 22.
+1, even having read the rest of this message.
Same with iptables if firewalld is not installed by default.
--
Matth
On Fri, 2012-11-09 at 15:06 -0800, Adam Williamson wrote:
> Right now it seems like anaconda actually just throws firewalld into the
> target package set in absolutely all cases, like it does with
> authconfig, which I think is wrong. As the above makes clear, it only
> really makes sense to use a
33 matches
Mail list logo
