Enhancement #3258

Drop lokkit support, always use shorewall

Added by Giacomo Sanchietti almost 6 years ago. Updated almost 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:<multiple packages>
Target version:v6.7-rc1
Resolution: NEEDINFO:No

Description

NethServer has two firewall implementations:
  • lokkit used when the server is server-only (only green interfaces)
  • shorewall when the server is server and gateway (green/red/orange/blue interfaces)

Both implementations are complicating the code and have a big drawback: the administrator can configure the server as a gateway only after installing the shorewall component.
Shorewall must be included inside the core system (and the ISO), lokkit implementation will be removed.

Associated revisions

Revision e5e04550
Added by Giacomo Sanchietti almost 6 years ago

Drop lokkit-based firewall implementation. Refs #3258

  • Enable Shorewall at boot
  • Disable iptables service at boot
  • Split UI into a different RPM

Revision 7b2a2565
Added by Giacomo Sanchietti almost 6 years ago

Drop lokkit-based firewall implementation. Refs #3258

  • Remove iptables templates
  • Remove lokkit-apply action
  • Simplify firewall-adjust action

Revision 2b78bc96
Added by Giacomo Sanchietti almost 6 years ago

Drop lokkit-based firewall implementation. Refs #3258

Revision a2730997
Added by Giacomo Sanchietti almost 6 years ago

Drop lokkit-based firewall implementation. Refs #3258

Revision fa86ac54
Added by Giacomo Sanchietti almost 6 years ago

Drop lokkit-based firewall implementation. Refs #3258

Revision a1a65e24
Added by Giacomo Sanchietti almost 6 years ago

Web UI: use InterfaceRoleList prop to list network available roles. Refs #3258

Revision f3be77bf
Added by Giacomo Sanchietti almost 6 years ago

DB: cleanup unused prop. Refs #3258

Revision adbe50bd
Added by Giacomo Sanchietti almost 6 years ago

Drop lokkit-based firewall implementation. Refs #3258

  • Enable Shorewall at boot
  • Disable iptables service at boot
  • Split UI into a different RPM

History

#1 Updated by Giacomo Sanchietti almost 6 years ago

  • Category set to <multiple packages>
  • Status changed from NEW to TRIAGED
  • Target version set to v6.7-rc1
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti almost 6 years ago

  • Subject changed from Drop lokkit support, always use lokkit to Drop lokkit support, always use shorewall

#4 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in 6.7/nethserver-testing:
  • nethserver-base-2.8.1-1.2.ga1a65e2.ns6.noarch.rpm
  • nethserver-firewall-base-2.7.2-1.1.gadbe50b.ns6.noarch.rpm
  • nethserver-firewall-base-ui-2.7.2-1.1.gadbe50b.ns6.noarch.rpm
  • nethserver-dnsmasq-1.5.1-1.1.g2b78bc9.ns6.noarch.rpm
  • nethserver-hylafax-1.1.2-1.1.ga273099.ns6.noarch.rpm
  • nethserver-vsftpd-1.0.2-1.1.gfa86ac5.ns6.noarch.rpm
Test case 1
  • On a clean machine with at least one service running (eg. nethserver-httpd) execute:
    yum --enablerepo=nethserver-testing update @nethserver-iso
    
  • Check the service is still acccessible
  • Check rules are applied using Shorewall
Test case 2
  • On a machine where shorewall is installed update from testing
  • All whould work as before the update
  • To re-install the web interface:
    yum --enablerepo=nethserver-testing update @nethserver-firewall-base
    
Test case 3
  • After test case 1 or 2, install nethserver-dnsmasq
  • Check port 67-69 and 53 are open
Test case 4
  • After test case 1 or 2, install nethserver-vsftpd
  • Check nf_conntrack_ftp module is loaded:
    lsmod | grep nf_conntrack_ftp
    
Test case 5
  • After test case 1 or 2, install nethserver-hylafax
  • Check nf_conntrack_ftp module is loaded:
    lsmod | grep nf_conntrack_ftp
    

#6 Updated by Davide Principi almost 6 years ago

  • Assignee set to Davide Principi

#7 Updated by Davide Principi almost 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

Note: remove nethserver-password from nethserver-iso YUM group (see #3260)

#8 Updated by Davide Principi almost 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

CLOSED
In nethserver-base/6.7:
nethserver-base-2.9.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.8.0-1.ns6.src.rpm
nethserver-firewall-base-ui-2.8.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.5.2-1.ns6.noarch.rpm
nethserver-hylafax-1.1.3-1.ns6.noarch.rpm
nethserver-vsftpd-1.0.3-1.ns6.noarch.rpm

Also available in: Atom PDF