Hello, ----- Original Message ----- > I'm maintaining a VPN server in fedora and I'm wondering whether > I'd need to integrate firewalld to that. After reading the information > in https://fedoraproject.org/wiki/FirewallD I don't think I'm sure what > I'm supposed to do. I’d guess you only need to ensure a firewalld service definition for the VPN server exists. > There are two issues: > 1. Should my service turn on the firewall ports used by the server? > As far as I understand, in order for the service to work out of the box > I'd need to call firewall-cmd --port to enable the TCP and UDP ports > used by the server, possibly from the systemd unit file (are there any > hooks for that?). A service manipulating the firewall for itself? Definitely not. Policy is for the administrator to define; applications opening ports for themselves completely redundant to calling bind(). (We can discuss whether it would be appropriate to ship with a configuration that enables the service by default, but a very likely answer is “no”; we don’t enable httpd by default, for example.) > 2. What zone should the server put the clients they connect. Should > there be some special vpn zone or should I use one of the existing ones? > (none of the existing looks very reasonable for that). How are the clients connected exactly? If the traffic looks like it arrives on a virtual interface, a zone should be assigned to that interface, using the existing system-wide configuration for that interface (/etc/sysconfig/network-scripts/ifcfg*) if at all possible (this might require extra code I don’t know much about). > However, what is not apparent to me as a fedora packager is how is that > supposed to be handled. Should the package handle any requirements by > firewalld (i.e., package is plug and play), or should the package defer > the administrator to configure firewalld separately (i.e., package is > installed but doesn't work by default). Packages should defer to the administrator. (Note that the F21 _Workstation_ product will ship with a different default, and some Cloud images might have yet another. But in both cases the individual packages are not supposed to care.) > I see that ssh and few other > services are enabled by default by firewalld configuration itself, Those are the exceptions from the general default of keeping services disabled. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
