Am 15.11.2012 19:37, schrieb Kevin Fenzi:
>> Have you actually _tried_? It's supposed to be as easy
as
>> s/iptables/firewall-cmd --direct --passthrough ipv4/
>>
>> I don't know for a fact whether it is good enough. You seem to
>> have a script that could tell us.
>
> i posted a script realier this day as .txt file with
> masked network details, but it did not go trough list
> moderation AFAIK until now
Everyone on this list doesn't need a copy of your (lengthy) iptables
script, IMHO.
Perhaps the two of you could continue this off line and test and report
back to the list?
your argumentation is NOT helpful
i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE
i can NOT post a unmasked version with ip-addresses and hostnames
i can NOT simulate a whole network with around 100 machines
even i could do this all, it wozld be VERY difficult to RE-AUDIT
the whole configuration and security-layers which are hardly
to explain because usually infrastructure and network-segments
you want to isolate in both directions is grwoing over years
and not there at once
and this is why REMOEV iptables.service would cause A LOT of work
and auditing while you risk security troubles while you are at
working on this for a more or less non existing benfit
this is why it would be NOT a good idea to remove "iptables.service"
some of this setups are hunderts of kilometers away
the "iptables.sh" there is the ROUTER
you can not test this remote because if you make a small mistake
you have lost the game and the remote network is down and having
everywhere lights-out-managment is a nice wish but in reality
you do NOT want LOM exposed to the internet, so it is BEHIND this
iptables-etups you play around
REALLY: there is nothing more i can say to this topic
it is not my decision if people drop iptables.service and make a
big wasting of ressources and security while doing this all over
the world - but people should keep in mind what damage they are
doing if acting this way