New UI Proposal
Firewalld replaced SuSEFirewall2 as the default firewall solution in
openSUSE Leap 15.0 and SLE 15. Although YaST supports Firewalld under the hood, nowadays there is no
GUI to configure it (the upstream firewall-config tool is used instead) so we are on the process
of defining a new one.
The idea behind this document is to serve as starting point to discuss on the new UI.
Let's start by showing some screenshots of the old UI so we can compare it with the new one.
In firewalld, zones are a core concept. By default, there is a set of predefined zones (public, dmz, trustetd, etc.) but, unlike SuSEFirewall2, it is allowed to define custom ones. Most of the configuration stuff (open services, ports, custom rules, etc.) are defined in a per-zone basis. And, like SuSEFirewall2, each network interface can be associated to a zone.
Additionally, there are other generic configuration items, like IP sets that are not bound to a specific zone.
With these concepts in mind, we are proposing a user interface similar to the one below:
The idea is to leverage the concept of zone, making clear which parts of the configuration are associated to them and which part is general stuff.
- Interfaces: List of interfaces allowing the user to bound them to a given zone. We might consider removing this list and allowing the user to associate interfaces and zones in the next item (1 zone can contain many interfaces).
- Zones: List of zones allowing the user to add/remove them. Under this item the user can find one menu entry per each zone (we could limit them to show only 'active' zones). See the next item.
- Zone Configuration: It will offer all configuration items for a given zone organized in a set of tabs. Please, ignore the tabs content as it is not defined at all yet.
- Logging Level: It will allow the user to set the logging level (analogous to the old one).
In the future, we could add other menu entries regarding stuff which is not defined within a single zone, like IP sets or Services (they can be defined to be later associated to zones).
The user can specify a set of services to be allowed in a given zone using the Services tab.
Basically, there is a quite long list of known services and the user can select any number of them.
We are proposing four different interfaces (but we are still open to new ideas).
Please, do not pay too much attention to elements alignment and that stuff. They will be improved in the final version.
All services are listed, and the user just "mark" the one she/he wants to open. The downside is that the list is quite long and te user cannot see easily which services are open.
Two lists, side by side:
If we wanted to add the service description (instead of the short name) we might get out of space in 80x25. But we could use the short names on low resolutions.
If we want to add service descriptions, we might consider putting the lists one on top of the other.
Other option might be the old interface:
The downside is that the list is quite long and the selector might have a lot of options.
Apart from adding a set of allowed services to a zone, a user can add a set of ports specifying the number and the protocol. We are proposing two different options:
It is composed by just a set of text fields (one for each know protocol) where the user can add the list of port numbers.
Similar to the old interface for allowed services.
