Am Montag, den 20.08.2007, 12:54 -0400 schrieb Simo Sorce:
On Mon, 2007-08-20 at 12:40 -0400, Jeremy Katz wrote:
On Mon, 2007-08-20 at 16:20 +0000, "Jóhann B. Guðmundsson" wrote:
Any thoughts on implementing automatically port opening for service that need to open port access in the firewall as in when service is started that needs port opening it would automatically read some firewall.conf file for that and open the port automatically according to those settings in the firewall.conf file ( add the iptables rules automatically when the service is started
and
remove those rules when the service is stopped )
Doing chkconfig service or service service start/stop and it would
also
open the port for that service in the firewall
I think it's a great idea and would go a long way towards making
things
more usable. One of the questions is do you do the firewall change on service start/stop or at chkconfig time. And I'm a little bit torn on that one. chkconfig time makes it "simpler" as far as not requiring initscript changes. start/stop seems like it's probably more
"correct",
but would then require initscripts to call a new function on
start/stop
Why should it be "more correct" to do it at start/stop ? It seem more correct to do it at chkconfig, so that even if you stop the service and iptables -Lv will show you what is the "normal" firewall situation.
Letting services poke holes in the firewall is not something admins will really love, if I set a rule to block traffic for a certain service I _really_mean it and I don't want to have to change the init scripts or have to reapply the rule each time I start/stop a service.
No, in fact I would hate it with a vengeance.
If I have an apache server listening for traffic, that doesn't mean I want people outside my network connecting to it; nor do I want people connecting to my ssh server.
Why not just disable the firewall altogether? That would have the effect you are looking for: all services that are running can accept connections.
I run custom firewall rules. If you can get this idea to play nicely with my custom script, and with Shorewall setups, and with s-c-securitylevel, go for it. But I'm highly sceptical. If installing squid blows up my custom firewall settings, I'm getting out my pitchfork. :)
Simo.
-- fedora-devel-list mailing list fedora-devel-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-devel-list