Re: default firewall utility changes for Debian 11 bullseye

To: debian-devel@lists.debian.org
Subject: Re: default firewall utility changes for Debian 11 bullseye
From: Thomas Goirand <zigo@debian.org>
Date: Sun, 22 Dec 2019 23:46:22 +0100
Message-id: <[🔎] 45838f59-97fb-1afc-3719-3619fc5e3e13@debian.org>
In-reply-to: <f7dd8417-a31b-73a8-b966-24167daee4f5@debian.org>
References: <f7dd8417-a31b-73a8-b966-24167daee4f5@debian.org>

On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote:
> For the next release cycle I propose we move this default event further.
> As of this email, iptables [0] is Priority: important and nftables [1] is
> Priority: optional in both buster and bullseye. The important value means the
> package gets installed by default in every Debian install.
> 
> Also, I believe the days of using a low level tool for directly configuring the
> firewall may be gone, at least for desktop use cases. It seems the industry more
> or less agreed on using firewalld [2] as a wrapper for the system firewall.

Gosh, no...
The industry agrees to use whatever is convenient for the application it
is maintaining. Let me give an example.

In OpenStack, Neutron does the networking. It is supposed to handle
*all* of what goes in iptables, via neutron-openvswitch-agent. At no
point, I have read anyone proposing to switch away from using iptables
directly, and using firewalld instead.

Please do not try to imagine what people do with iptables. You'd be
wrong in many cases.

BTW, when using Neutron with Buster, I was very surprised that *in some
cases*, it completely breaks if we don't have iptables-legacy as the
installed alternatives. It took me a long time to figure out that the
iptables-nft implementation, if looking similar, isn't producing the
same output, and therefore, breaking Neutron is some corner cases.
Hopefully, upstream will work on that, but this was a very bad surprise
that I had to address when running in production (as it *looks like*
working at first, but in fact doesn't in the long run).

> There are plenty of system services that integrate with firewalld anyway [3].
> By the way, firewalld is using (or should be using) nftables by default at this
> point.

I have no experience running firewalld myself, but my only message is:
please don't break other people's computer. Hopefully, having firewalld
by default will not (but you never know, when these ...d services rush
into Debian too fast...).

> 2) introduce firewalld as the default firewalling wrapper in Debian, at least in
> desktop related tasksel tasks.

I don't mind for desktop cases much, I know how to fix things. I'm more
scared if this breaks newbies, and server side. For servers, maybe don't
install stuff by default, and let the admin decide? Hopefully, both will
be taken care of, right?

Cheers,

Thomas Goirand (zigo)

Reply to:

Prev by Date: Bug#947187: ITP: citop -- Monitor CI pipelines from the command line
Next by Date: RFH: drawxtl seg-faulting (#853829)
Previous by thread: Re: default firewall utility changes for Debian 11 bullseye
Next by thread: Re: default firewall utility changes for Debian 11 bullseye
Index(es):
- Date
- Thread