On Fri, Nov 09, 2012 at 05:32:14PM +0100, Thomas Woerner wrote: > > - this turns out to be a big change! > > - there's little to no documentation > Have you had a look at the man pages? I missed the top-level man page and was looking at firewall-cmd, which is not very helpful on its own. Starting from firewalld is much more helpful. (Thanks!) The Zone man page dumps me right into reading XML. :) This is the technical documentation I was referring to, and I'm glad to see it _is_ there -- sorry I missed it. I'm still not clear on some concepts, though -- particularly, a zone is described as defining the "trust level of the interface used for a connection", but in the man page for zones, "trust" isn't mentioned at all -- instead, they appear to be the config files for firewall chains. But I can get into my specific confusion in a separate thread. For the point of view of the feature, we need to get some of this into web pages and maybe online help for the GUI applet. > > - the UI is very confusing, with a large number of "zones" and no apparent > > way to configure those zones > Go to the persistent view and you can configure zones, services and > icmptypes. I can certainly check and uncheck services and other things within zones, but the GUI gives me no idea about what the zones mean and neither a way to learn that nor a way to tell it -- I'd expect at least _one_ of those. I see there's a "work" zone -- how does firewalld know I'm on the work network and not at home or at a coffee shop? > > - no way to run once and exit for cloud guests with *non-dynamic* firewall > > needs, and it's a non-trivial user of system resources > You can use the old firewall environment for static firewall use > cases. Everything is still there. Can I use them *both together*? If so, okay. If not, we should keep entirely with the old one until this is really ready to take over. > Firewalld is using about 12M of memory (RES), produces only a small > amount of wakeups (< 0.1) if idle. Where is the non-trivial use of > system resources. That. That right there. When the net result of that is _no work done ever_, multipled by a thousand of million, it's really not a good use of the world's resources. Even on a dynamic system, it's going to be idle most of the time, right? Couldn't this be entirely D-BUS activated and exit after making changes? -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm@xxxxxxxxxxxxxxxxx> -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
