On 7/16/19 11:07 AM, Arturo Borrero Gonzalez wrote: > For the next release cycle I propose we move this default event further. > As of this email, iptables [0] is Priority: important and nftables [1] is > Priority: optional in both buster and bullseye. The important value means the > package gets installed by default in every Debian install. > > Also, I believe the days of using a low level tool for directly configuring > the > firewall may be gone, at least for desktop use cases. It seems the industry > more > or less agreed on using firewalld [2] as a wrapper for the system firewall.
Gosh, no... The industry agrees to use whatever is convenient for the application it is maintaining. Let me give an example. In OpenStack, Neutron does the networking. It is supposed to handle *all* of what goes in iptables, via neutron-openvswitch-agent. At no point, I have read anyone proposing to switch away from using iptables directly, and using firewalld instead. Please do not try to imagine what people do with iptables. You'd be wrong in many cases. BTW, when using Neutron with Buster, I was very surprised that *in some cases*, it completely breaks if we don't have iptables-legacy as the installed alternatives. It took me a long time to figure out that the iptables-nft implementation, if looking similar, isn't producing the same output, and therefore, breaking Neutron is some corner cases. Hopefully, upstream will work on that, but this was a very bad surprise that I had to address when running in production (as it *looks like* working at first, but in fact doesn't in the long run). > There are plenty of system services that integrate with firewalld anyway [3]. > By the way, firewalld is using (or should be using) nftables by default at > this > point. I have no experience running firewalld myself, but my only message is: please don't break other people's computer. Hopefully, having firewalld by default will not (but you never know, when these ...d services rush into Debian too fast...). > 2) introduce firewalld as the default firewalling wrapper in Debian, at least > in > desktop related tasksel tasks. I don't mind for desktop cases much, I know how to fix things. I'm more scared if this breaks newbies, and server side. For servers, maybe don't install stuff by default, and let the admin decide? Hopefully, both will be taken care of, right? Cheers, Thomas Goirand (zigo)