On Tue, 2014-12-09 at 07:27 +0100, Kevin Kofler wrote: > Stephen Gallagher wrote: > > Also, while I think it's been unclear in this thread, the main reason > > that the firewall GUI was taken out was because the Workstation guys > > want to design a more user-understandable one and include that directly > > (if I am remembering that conversation correctly). The current one is > > not terribly easy to understand (though it's certainly an improvement > > over s-c-firewall). > > Huh? Especially the last part really makes me go "huh?". System-config- > firewall is dead simple to use: I want service S to work, I check the box > for service S if it's one of the common ones, or pick service S from the > full /etc/services list if it's an uncommon one, or enter its port manually > if it's some nonstandard service listening on an arbitrary port. I don't see > how the UI can be any simpler. > > firewall-config is only complicated because firewalld is overly complex. I'm a little puzzled that you decided to nitpick this one statement which was poorly phrased and ignore the rest of my email, but okay I'll bite. I meant to say that firewall-config is in general much improved over s-c-firewall, not that it was easy to understand. s-c-firewall only allowed *exactly* what you described above and left you to manually configure the firewall with the CLI if you needed anything more complicated than "open this port on all interfaces". With firewall-config, it's possible to set up fairly common firewall configurations like: * Port forward between two interfaces, which is really useful with virtualizationFedoraWorkstation (default, active) interfaces: em1 virbr0 virbr0-nic wlp4s0 sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: * Open this SMB port on these two multipath interfaces but not on this public interface or the management plane. And so on. And is firewalld overly complex? Sure. Firewalls *are* complex. Having used both firewall-cmd and iptables extensively over the years, I'd pick firewall-cmd any day. It's far easier to remember firewall-cmd --add-port=80/tcp than it is to remember iptables -I INPUT -p tcp --dport 80 -j ACCEPT (which I just had to Google to make sure I got it right, which I hadn't...). So for the really simple cases that s-c-firewall used to handle, it's still pretty darn easy. Moreover, it's *significantly* easier to see (and understand) the current firewall state on your system: firewall-cmd --list-all[-zones] On my system, this results in: FedoraWorkstation (default, active) interfaces: em1 virbr0 virbr0-nic wlp4s0 sources: services: dhcpv6-client dns freeipa-ldap freeipa-ldaps samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: (and yes, you may notice that I've elected to close the ports >1024 that are open by default in the Fedora Workstation zone, because I'm overly-paranoid and because I occasionally use non-Fedora software that I cannot fully trust not to open ports without me checking on it) Anyway, this post has admittedly gotten a bit rambling and off-topic, so I'll end it here.
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
