[Pkg-utopia-maintainers] firewall maintainers, unite!

Joost van Baal-Ilić joostvb at debian.org
Tue Aug 13 23:51:14 BST 2019 

Hi,

gustavo: thanks for bringing this up.  Installing multiple firewall tools could
indeed cause big trouble for those not experienced with such tools.

I like Erich's idea: a "Conflicts:" would be a too blunt tool.  Once a
consensus has formed I'd be very happy to adjust the uruk package.

I'm Cc-ing https://lists.debian.org/debian-firewall/ and moving original list
of recipients to Bcc; I feel this discussion could use a more public place.

Bye,

Joost


On Wed, Jul 24, 2019 at 11:11:20PM +0200, Erich Schubert wrote:
> Hi,
> 
> 1. People may want to try out different tools, and many tools can be
> disabled in one way or another; so being installed at the same time does not
> imply they are being used at the same time and interfering. A similar issue
> arises for example with display managers. Conficts are the wrong way of
> handling this, because you prohibit users from trying out different tools
> easily.
> 
> In particular, firewall tools usually need to be configured and will not
> automatically run (as this could lock you out in the worst case).
> 
> 2. They are not necessarily incompatible.
> 
> pyroman generates iptables-restore scripts, because this is much faster to
> load than repeated invocations of iptables.
> 
> But that means it actually makes sense to combine this in particular with
> iptables-persistent.
> 
> And I even have a system where I have iptables-persistent installed along
> with pyroman.
> 
> So please do NOT add "conflicts".
> 
> To quote Debian policy:
> 
> > Neither Breaks nor Conflicts should be used unless two packages cannot be
> installed at the same time or installing them both causes one of them to be
> broken or unusable. Having similar functionality or performing the same
> tasks as another package is not sufficient reason to declare Breaks or
> Conflicts with that package.
> 
> At maximum, the solution should be a debconf question asking the user which
> firewall tool to use if multiple are installed, as done for example with
> display managers such as gdm, kdm, lightdm. But since these tools usually
> need to be configured anyway to be useful, I don't see much benefit of doing
> this.
> 
> What I can imagine is, however, introducing some indicator that allows one
> tool to detect that another tool is being used at the same time. For
> example, all tools could generate some unused iptable "firewall-tool-name-X"
> and check the presence of such tables as an indicator for possible
> misconfiguration to warn the user.
> 
> Regards,
> Erich
> 
> On 22.07.19 21:57, gustavo panizzo wrote:
> >
> >Hello,
> >
> >This email is regarding an iptables manager on which you are listed as
> >maintainer [1].
> >
> >I maintain iptables-persistent, a script to setup iptables rules at
> >boot; all of you maintain [1] a firewall manager.
> >
> >I was working on #926927 when I realize that users can install our
> >packages at the same time, which will surely cause them problems.
> >
> >I think that besides implementing something along the proposed solution
> >to #926927 we should implement package level Conflicts [2] between our
> >packages. Maybe to make it easier and extendable we should all Provide and
> >Conflict
> >with a meta-package (firewall-manager?)
> >
> >what do you guys think?
> >
> >
> >
> >[1] -
> >Package: uruk
> >Maintainer: Joost van Baal-Ilić <joostvb at debian.org>
> >Package: ufw
> >Maintainer: Jamie Strandboge <jamie at ubuntu.com>
> >Package: uif
> >Maintainer: Mike Gabriel <sunweaver at debian.org>
> >Package: sidedoor
> >Maintainer: Dara Adib <daradib at ocf.berkeley.edu>
> >Package: shorewall
> >Maintainer: Roberto C. Sanchez <roberto at connexer.com>
> >Package: pyroman
> >Maintainer: Erich Schubert <erich at debian.org>
> >Package: ipkungfu
> >Maintainer: Luis Uribe <acme at eviled.org>
> >Package: arno-iptables-firewall
> >Maintainer: Debian Security Tools <team+pkg-security at tracker.debian.org>
> >Package: ferm
> >Maintainer: Alexander Wirt <formorer at debian.org>
> >Package: firehol
> >Maintainer: Jerome Benoit <calculus at rezozer.net>
> >Package: firewalld
> >Maintainer: Utopia Maintenance Team
> ><pkg-utopia-maintainers at lists.alioth.debian.org>
> >
> >let me know if I missed anybody or any package.
> >
> >[2] - https://www.debian.org/doc/debian-policy/ch-relationships.html
> >

More information about the Pkg-utopia-maintainers mailing list