On Wed, Nov 14, 2012 at 2:35 AM, Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > Well. I may be a little bit cynical on this, but I think the unsteered drift > of this kind of thing goes like this: > > 1. Shiny new feature covers the desktop case, so let's make it the default > in Fedora. > 2. "Don't worry, if you have other needs, the old way still works". > 3. So many things get updated to the new way that the old way isn't > reasonable anymore, but *those other use cases never get consideration*. > > It's like step 2 magically covers the end game. But of course it doesn't. That's not at all the case with firewalld. 2 ouf of 4 of the concerns that led to firewalld being postponed in F17 were server/enterprise-related, and AFAIK are now resolved. Yes, the documentation is still not great, but that's something that can realistically be improved before GA. > I'm not against progress. The static firewall scripts don't cover a lot of > cases, and are particularly a pain with virt. But let's not jump ahead of > ourselves without at _least_ a plan. AFAIK the major things for our usual use cases are covered, at least going by the F17 criteria. Sure, there may be more things missing. Looking at hour original warning flag: Squeezing every last megabyte out of the running system for cloud is a really new thing that we haven't historically required. Sure, it would be great to make firewalld smaller (and rewriting firewalld to C is one of those things that have been promised a long time ago and never happened), but I don't really see that as a blocker. > So that's a little bit of a tangent, but, as outlined in the other thread, I > don't think firewalld is at a point where making it the default would be > a good for Fedora. Maybe it could be by F19. Reducing the dependency load is > just one part of that. > > In the meantime, I think we should make sure a newly installed system with > either firewalld or the old thing (now called iptables-service) has a > sensible firewall out of the box. (Same all-closed-but-ssh as we've had > forever, I expect.) We _cannot_ have two different firewalls equally supported, each with its own command line and API. Applications won't support both equally, documentation won't support both equally, QA won't cover both equally, users will be confused. We'd get the 8-years duplication of init.d/network vs. NetworkManager all over again, and I personally strongly want to avoid that (this was a third of my FESCo election platform). Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel