Background
http://lists.fedoraproject.org/pipermail/devel/2012-March/164826.html

Previous versions of Fedora had a "Firewall" GUI app for configuration and disabling. This is now gone with the move from iptables to firewalld. The firewalld-config tool is apparently still not done, and whatever state it's in, isn't being tested in beta because it's not in the beta.

The recommendation is to use firewall-cmd.

I'd kinda like to know what people think of this? My SOP is to use systemd to stop and disable firewalld. I'm not learning how to configure the firewall from the command line. I didn't have to with iptables. I can't imagine I'm the only person who feels this way.

I'll continue to stick with shorewall.

My box isn't a server, I don't even have a printer... so I removed firewalld, installed system-config-firewall, unchecked everything in the window that allows stuff and checked everything in the window that blocks stuff.
If I ever have any trouble or need to enable some service then I redo the configuration.

+1 on that.

OK let me reign this back in and hopefully be more clear. For those of you who disable the firewall as your SOP, how do you do that? Do you go to the Firewall GUI app, click Disabled, click Apply, and then you're done? Or are you doing something else?

What I used to do with iptables/Firewall app was check mDNS so it was allowed, and then click Apply. What I do now, is use systemctl to stop and disable firewalld. I think that's kinda crap.

I'm sortof inclined to suggest on the developer list that firewalld not be included in F17 because it seems half baked. The GUI tool isn't installed by default, I'm not sure if it even can be installed yet. So it's not getting testing. It may even be vaporware as far as I can tell. I think the switch from iptables to firewalld in F17 is premature. But maybe I'm being unreasonable.

I don't understand disabling services that can be uninstalled. Meaning you'll be getting updates for it which in addition to wasting bandwidth, maybe one of those updates re-enables it without telling you or creates some other obscure problem that prevents you from booting because it expects to be running and isn't. I know that stuff like that *shouldn't* happen, but it does, so just remove it.

yum remove firewalld
yum install system-config-firewall
system-config-firewall

I don't understand disabling services that can be uninstalled. Meaning you'll be getting updates for it which in addition to wasting bandwidth, maybe one of those updates re-enables it without telling you or creates some other obscure problem that prevents you from booting because it expects to be running and isn't. I know that stuff like that *shouldn't* happen, but it does, so just remove it.

It's on the LiveCD. It's one of the reasons why I'm irritated with the regressive lack of a GUI means of stopping or disabling it.

I like the idea of a dynamic firewall, I just hope it is done right.

I don't have a problem with the concept. I have a problem with the progress considering it's default in betas and supposed to be default in final. And yet the primary configuration tool isn't installed by default (or that I can find, available via yum).

Another issue is in rc3 is that man firewall-cmd doesn't match what firewall-cmd -h shows.

Sorry to hack this topic, chrismurphy, but I would just like to add something to my post.
Regardless of the firewall settings, Fedora comes with ALL sorts of networking enabled so, in my common people lack of understanding, I'll search and remove those stuff (I'm starting right now).

I think this firewalld will work fine once there is a better manual on it.

adding ports, no problem, but I would like to create a service which makes sense to me. GUI would help too

Looks like the GUI tool won't be done by final. So it wouldn't be in the LiveCD, yet firewalld would be enabled by default. FESCo is going to take it up next week, so there may be a reversion.

http://lists.fedoraproject.org/pipermail/devel/2012-April/166039.html

Looks like the GUI tool won't be done by final. So it wouldn't be in the LiveCD, yet firewalld would be enabled by default. FESCo is going to take it up next week, so there may be a reversion.

http://lists.fedoraproject.org/pipermail/devel/2012-April/166039.html

Yes, it appears so. That is a bit of a shame actually. I liked the idea of a daemon and it actually works very well. No more restarting iptables etc. The cmd-line edit is a royal pain, agreed. As a novice: is it that hard to set up a GUI to open some ports?

Yes, it appears so. That is a bit of a shame actually. I liked the idea of a daemon and it actually works very well. No more restarting iptables etc.

The loss of Networking Zones is also an unfortunate consequence, if there's a regression. But better than than mass confusion. If there's an argument that a dynamic firewall is far less likely to depend on a GUI tool, then maybe it's still workable for F17. Guess we'll see...

I think the current firewall is workable, and anyone who can use a commandline will be able to type: firewall-cmd --add --service=http
firewall-cmd --add --port=5901/tcp The only problem lies in which services are excepted? Where can we configure services. If the services are configurable in a text file that I vote for the daemon.

i.e. I want multiple ports open for my email server

firewalld.txt
email 993/tcp 25/tcp /????/udp
then
firewall-cmd --add --service=email

That would be the best solution, but like I said, I am a novice user at best. This for me is about running a server.

Honestly, if you want to run Linux but can't handle a cmdline..... run to a Mac.

Honestly, if you want to run Linux but can't handle a cmdline..... run to a Mac.

This is a specious assertion. It's like saying if you want to run Windows but can't handle viruses, run to Linux or a Mac.

Consider the regression that's occurring from F16 to F17 without a GUI configuration tool. Avahi, by default, appears to be blocked and the only way I gain device discoverability is, presently, to disable the entire firewalld service. Whereas on F16, I could choose to allow that specific service. I'm sure others have additional examples.

The feature page says the GUI configuration tool is the primary tool. Do you think it's proper for a feature to ship without the primary configuration tool?

No, I do not think it should not have a GUI. As I stated earlier it would be of great help. The claim of virusses run to Mac is widely accepted (untill recent). Fedora has always been cutting edge and innovative. Most users that need a GUI don't come to fedora. The lack of a good man page is more concerning at this point then a missing GUI.

I think the best way is to stick with firewalld and maybe even have a GUI later on. Pulling the feature (postponing) is a step back losing the zone control.

If people must have a GUI, they can always roll back to system-config-firewall and remove firewalld.

man pages and documentation for firewalld are expected this week.

It's not a matter of needing a GUI, it's that for many versions there has been a GUI. I suspect everyone who used the previous one, will look for it or its replacement. Upon not finding it, they will become confused. They will then have no choice but to either learn firewall-cmd, or opt to go to the effort to remove it and install the old Firewall configuration tool.

On the one hand you say it should have a GUI, but then make excuses for it not having one and that people can just go to the command line to configure or remove firewalld, entirely obviating "it should have a GUI". These two positions are incongruent. You either think the feature's primary configuration tool should be required or not. If it's not required, it hardly seems primary.

I agree that Networking Zones being delayed would be unfortunate.

I think it should eventually have a GUI. I think the loss of the daemon outweights the lack of GUI at this point. more about the priority. Personally I don't consider a GUI as primary configuration tool to any part, but a convenient add-on.

Anyways, we can go on like this for ages I am guessing. Just my $0.02 that I would like to see firewalld to stay as the default

Personally I don't consider a GUI as primary configuration tool to any part, but a convenient add-on.

"primary" is not my term, and I also got it incorrect. The feature's owner calls it the "main configuration tool."

The feature page also says firewall-cmd contains most of the graphical tool's configuration features. i.e. not all.

So those combined tell me not all features are configurable by command line. You don't think this could be problematic?

So, do I get this correct: I must run a visual environment to be able to have full options over my firewall? I see that as a problem. A lot of people I know run headless servers without X. CLI only should still be fully configurable. Don't you agree??

I don't know if headless servers is a required use case for Fedora, in contrast to RHEL. I'd expect maturity of firewall-cmd before firewalld appears on RHEL.

---------- Post added at 05:41 PM ---------- Previous post was at 05:39 PM ----------

I also don't know what features are in firewall-config but not in firewall-cmd.

Background
http://lists.fedoraproject.org/pipermail/devel/2012-March/164826.html

Previous versions of Fedora had a "Firewall" GUI app for configuration and disabling. This is now gone with the move from iptables to firewalld. The firewalld-config tool is apparently still not done, and whatever state it's in, isn't being tested in beta because it's not in the beta.

The recommendation is to use firewall-cmd.


firewall-cmd could be an annoyance when it comes to setup a network printer on System Setting from Gnome Shell. The command is straightforward after reading this firewalld default page (http://fedoraproject.org/wiki/Features/firewalld-default)

Here's the deal for me. It is what it is. When something changes with Fedora I usually complain and then I go try to figure it out.

I'm running Fedora 17 on a laptop and a desktop. Today I'm trying to mount an NFS share from the desktop to the laptop. The export is on the desktop. Now, the configuraton is complete but this command, run on the laptop, fails:
mount.nfs phenom17:/mnt/freeagent /mnt/backup
By fails I mean that it times out. I sat and stared at the screen for a bit and then decided that the firewall on the desktop might be the problem. I stopped the firewall.
systemctl stop firewalld.service
Bam! The mount from the laptop to the desktop worked! The firewall is the problem I restarted the firewall .. because I want it running. With this epiphany in mind I set out to see what's up with configuring the Fedora 17 firewall. Seems, as stated in this thread, that all we have right now is firewall-cmd. As further stated in this thread, the man and help for firewall-cmd are conflicting. In my opinion they're both sparse. Using seabird's examples in post #16 I tried the following:
firewall-cmd --add --service=nfs
Without as much as a restart of the firewall I was again able to mount the share with the firewall running. Done. I got what I wanted and learned a tiny bit about firewalld and firewall-cmd.

It is what it is.

I know, firewalld is cool!!!!!

I know, firewalld is cool!!!!!
It will be just fine once we get the hang of it. I understand the frustrations too.

If you update to the latest firewalld and firewall-applet in koji, you get corrected --help information, better man pages, and a cute icon in the system tray. This sure seems convoluted, but "it is what it is." :)

If you like cinnamon or mate, or are forced to fall back mode for some reason, do the following:

1. You can run gnome-session-properties from the command line. Then you can add and control login programs.

Or

1. You can search for the thread on how to get alacarte running on F16, and do the same work around for F17. How long does it take to fix a bug? At least two releases! :doh: :p

2. Install alacarte and run it from the menu. It's Preferences > Main Menu, appropriately. :)

3. In alacarte, AKA Main Menu, navigate to Preferences and check Startup Applications, it's disabled by default. :sigh:

4. Then you can start gnome-session-properties from the menu.

Most will select the CLI, I'm guessing. But it's nice to get back some of the useful tools from gnome 2, so I opted for the second method. My guess is, the gnome devs forgot to put Startup Applications in the System Settings GUI. Of course, if you like gnomes-hell, you can search for gnome-session-properties and run it from the Applications viiew.

However you get gnome-session-properties running, add a startup program with the command firewall-applet and you get the attached icon, tool tip, and a right click menu.

dd_wizard

BTW, aren't those awesomely sharp fonts?

dd_wizard

@dd_wizard Yes they are. Are they default, or would you like to share which font you used and if you modified them? Like anti-aliasing, or, auto-hinting, or, whatever it is they call it? We used the Droid Font in "siduction" and the font looked similar, but I like yours better. Please .. Please .. Input, I need input. :)

I installed the infinality patches repo as shown about halfway down this page (http://www.infinality.net/blog/infinality-freetype-patches/). I'm on a different machine now, but I'm pretty sure I ended up with slight hinting and RGB anti-aliasing Originally, I had to use --releasever=16 to install them, but I noticed I'm getting updates now without tweaking the version. So I assume there's an F17 repo now..

Thanks dd

I'm going to give it a try when I do my F17 install. I don't usually bother with the fonts, but they looked so great, I figured they were worth givng a try.

Firewalld as default firewall is being pushed back to F18. It will still be available in F17, but iptables will continue to be the default firewall.

https://fedorahosted.org/fesco/ticket/838

That's a bummer but a good decision.
It's better to offer a not ready for prime time feature than to force it.
I still hope for a usable GUI to play with and maybe put to use in F17.