what is the policy regarding software that requires modifications to the
firewall in order to run?
Specifically, I'm packaging sshguard (a brute-force blocking software
similar to fail2ban, I've asked about it here before [1]), which
maintains a list of blocked ips/subnets in ipsets. When using firewalld
and nftables, these ipsets are created automatically when the program
first runs, but for iptables the user has to set them up beforehand.
- should the (iptables sub-)package set these up during first install
instead? If not, should the user be notified of the required steps in
e.g. a scriptlet?
- for all backends, should the ipsets be removed when the package is
uninstalled?
I think similar arguments as for user creation/deletions apply, so would
go for create-automatically-and-never-delete, but maybe there already is
an existing policy on this? I had a look at the fail2ban spec, but
fail2ban seems to take care of firewall configuration entirely on its own.
Best,
Christopher
[1]
https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx/message/HMLAUWJV6YRNLNDXDU2WGDQGG7TNNV6B/
_______________________________________________ packaging mailing list -- packaging@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to packaging-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/packaging@xxxxxxxxxxxxxxxxxxxxxxx
