Hi, what is the policy regarding software that requires modifications to the firewall in order to run?
Specifically, I'm packaging sshguard (a brute-force blocking software similar to fail2ban, I've asked about it here before [1]), which maintains a list of blocked ips/subnets in ipsets. When using firewalld and nftables, these ipsets are created automatically when the program first runs, but for iptables the user has to set them up beforehand.
- should the (iptables sub-)package set these up during first install instead? If not, should the user be notified of the required steps in e.g. a scriptlet? - for all backends, should the ipsets be removed when the package is uninstalled?
I think similar arguments as for user creation/deletions apply, so would go for create-automatically-and-never-delete, but maybe there already is an existing policy on this? I had a look at the fail2ban spec, but fail2ban seems to take care of firewall configuration entirely on its own.
Best, Christopher
[1] https://lists.fedoraproject.org/archives/list/packaging@lists.fedoraproject....
packaging@lists.fedoraproject.org