Re: raising warning flag on firewalld-default feature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/09/2012 03:33 PM, Matthew Miller wrote:

https://fedoraproject.org/wiki/Features/firewalld-default

We have an accepted feature for Firewalld to be the default in Fedora 18.

The old scripts are primitive and can't handle dynamic environments very
well, so having something new and modern is admirable. The lokkit family of
GUI config tools is primative enough to be considered dangerous. And a lot
of integration work has been done in NetworkManager, libvirt, and a bunch of
other places.

But, I think we should strongly consider pushing this to F19, because:

   - this turns out to be a big change!
   - there's little to no documentation

Have you had a look at the man pages?


   - the UI is very confusing, with a large number of "zones" and no apparent
     way to configure those zones
Go to the persistent view and you can configure zones, services and icmptypes. 


   - toolset is not yet robust -- has funny things like `firewall-cmd
     --enable` enables *panic mode*.

Nice find. You are the first to get this. Will work on it.


   - no way to run once and exit for cloud guests with *non-dynamic* firewall
     needs, and it's a non-trivial user of system resources
You can use the old firewall environment for static firewall use cases. Everything is still there.
Firewalld is using about 12M of memory (RES), produces only a small amount of wakeups (< 0.1) if idle. Where is the non-trivial use of system resources. 



The alternative is to enable it by default in some cases but not in others,
but I think that's just confusing. We should wait until it's ready and then
turn it on everywhere.

I think this bug is illustrative of the problems we're going to see if we
ship as-is: <https://bugzilla.redhat.com/show_bug.cgi?id=869625>. Stef isn't
trying to anything crazy, but is both foiled by the lack of options and
confused by the choices that are there. We're going to get a lot more bugs
like this, and worse, unhappy users.
libvirt is creating the firewall rules for guests - it is doing this with the old static model, where you loose these rules in case of other firewall changes, or with firewalld, but here changes are dynamic. 


The lack of documentation is really the showstopper here. If we had really
good 1) hand-holding documentation and 2) technical documentation for
admins, I'd be more willing to take the risk. (In an even more ideal world,
the UI would be so well designed that the hand-holding documentation
wouldn't be necessary.)





--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux