On Sat, 2008-08-02 at 17:03 -0500, Mike McGrath wrote:
Even in the RH family type stuff I'm not quite sure the best
way to manage firewalls. We're doing them with puppet templates right now
but our firewall rules are fairly simple.
Perhaps the firewall standard could explicitly focus on iptables to at
least not be RH specific but trying to write up something for a lot of
different types of firewalls seems a bit out of scope for CSI.
It's quite likely out-of-scope for CSI, though a vexing problem
nonetheless. One of the problems with iptables in particular is that
there is now user-level model of what iptables does, you configure it
directly by essentially putting kernel-internal data structures into the
'config' file.
My favorite example is that you use iptables (and often the same file)
to open port 80 _and_ to forward packets across a bridged network
interface - from a user's point of view the two have no connection
whatsoever, one being an application-level configuration, the other
being a fairly low-level network plumbing issue.
Anyway, won't help CSI much ;)
David