• firewall maintainers, unite!

    From Joost van =?utf-8?Q?Baal-Ili=C4=87?@21:1/5 to Erich Schubert on Wed Aug 14 01:00:01 2019

    gustavo: thanks for bringing this up. Installing multiple firewall tools could indeed cause big trouble for those not experienced with such tools.

    I like Erich's idea: a "Conflicts:" would be a too blunt tool. Once a consensus has formed I'd be very happy to adjust the uruk package.

    I'm Cc-ing https://lists.debian.org/debian-firewall/ and moving original list of recipients to Bcc; I feel this discussion could use a more public place.



    On Wed, Jul 24, 2019 at 11:11:20PM +0200, Erich Schubert wrote:

    1. People may want to try out different tools, and many tools can be
    disabled in one way or another; so being installed at the same time does not imply they are being used at the same time and interfering. A similar issue arises for example with display managers. Conficts are the wrong way of handling this, because you prohibit users from trying out different tools easily.

    In particular, firewall tools usually need to be configured and will not automatically run (as this could lock you out in the worst case).

    2. They are not necessarily incompatible.

    pyroman generates iptables-restore scripts, because this is much faster to load than repeated invocations of iptables.

    But that means it actually makes sense to combine this in particular with iptables-persistent.

    And I even have a system where I have iptables-persistent installed along with pyroman.

    So please do NOT add "conflicts".

    To quote Debian policy:

    Neither Breaks nor Conflicts should be used unless two packages cannot be
    installed at the same time or installing them both causes one of them to be broken or unusable. Having similar functionality or performing the same
    tasks as another package is not sufficient reason to declare Breaks or Conflicts with that package.

    At maximum, the solution should be a debconf question asking the user which firewall tool to use if multiple are installed, as done for example with display managers such as gdm, kdm, lightdm. But since these tools usually need to be configured anyway to be useful, I don't see much benefit of doing this.

    What I can imagine is, however, introducing some indicator that allows one tool to detect that another tool is being used at the same time. For
    example, all tools could generate some unused iptable "firewall-tool-name-X" and check the presence of such tables as an indicator for possible misconfiguration to warn the user.


    On 22.07.19 21:57, gustavo panizzo wrote:


    This email is regarding an iptables manager on which you are listed as >maintainer [1].

    I maintain iptables-persistent, a script to setup iptables rules at
    boot; all of you maintain [1] a firewall manager.

    I was working on #926927 when I realize that users can install our
    packages at the same time, which will surely cause them problems.

    I think that besides implementing something along the proposed solution
    to #926927 we should implement package level Conflicts [2] between our >packages. Maybe to make it easier and extendable we should all Provide and >Conflict
    with a meta-package (firewall-manager?)

    what do you guys think?

    [1] -
    Package: uruk
    Maintainer: Joost van Baal-Ilić <joostvb@debian.org>
    Package: ufw
    Maintainer: Jamie Strandboge <jamie@ubuntu.com>
    Package: uif
    Maintainer: Mike Gabriel <sunweaver@debian.org>
    Package: sidedoor
    Maintainer: Dara Adib <daradib@ocf.berkeley.edu>
    Package: shorewall
    Maintainer: Roberto C. Sanchez <roberto@connexer.com>
    Package: pyroman
    Maintainer: Erich Schubert <erich@debian.org>
    Package: ipkungfu
    Maintainer: Luis Uribe <acme@eviled.org>
    Package: arno-iptables-firewall
    Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org> >Package: ferm
    Maintainer: Alexander Wirt <formorer@debian.org>
    Package: firehol
    Maintainer: Jerome Benoit <calculus@rezozer.net>
    Package: firewalld
    Maintainer: Utopia Maintenance Team ><pkg-utopia-maintainers@lists.alioth.debian.org>

    let me know if I missed anybody or any package.

    [2] - https://www.debian.org/doc/debian-policy/ch-relationships.html

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)