Am 06.03.2014 23:06, schrieb Stephen John Smoogen:
On 6 March 2014 14:54, Reindl Harald <h.reindl(a)thelounge.net
<mailto:h.reindl@thelounge.net>> wrote:
Am 06.03.2014 22:43, schrieb Stephen Gallagher:
> On 03/06/2014 04:28 PM, Reindl Harald wrote:
>
>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo(a)redhat.com
<mailto:simo@redhat.com>
>>> <mailto:simo@redhat.com <mailto:simo@redhat.com>>>: Sorry
I do not understand what you are
>>> saying here.
>>>
>>> $ fedora-role-deploy postgresql # Huh, it is refusing
>>> connections? # Ah, firewall... $ fedora-role-deploy
>>> --open-firewall-ports potgresql # That's how it is done in
>>> Fedora, then. Good to know.
>
>> right direction
>
>>> # Time passes...
>>>
>>> $ fedora-role-deploy freeipa # Huh, this is already accessible?
>
>> that must not happen
>
>> * not from usability point of view * not from security point of
>> view - *no* open ports *never ever* as default
>
> The debate here is where you draw the line as to "what is default".
> Deploying a role is *NOT* the same as just installing a package. For
> package installs, I absolutely agree that we should never be poking
> holes in the firewall.
i draw the line *strict*
if i deploy whatever role nobody than me is responsible to open
firewall ports because nobody than me can know if it is sane
to do so or what i have planned after the depolyment before
go in production
Then in this case, you wouldn't want to use Roles in any form as
they
aren't going to help you any
even if - i would be the target as 3rd party by machines of people
using roles and not aware that they need to plug the network cable
before the first boot and secure the setup before connect it to
the network
anybody now saying "that is not windows you can connect a linux
to the internet without get infected" is lofty and may regret
that attitude sonner or later
You aren't the target audience for them.. trying to make you the
target audience
would only work in your environment and no one elses.
what are you talking about?
honestly i find it only bizarre that in the year 2014 *anybody* considers
to open any port without *explicit confirmation* of the sysadmin installing
the system or even install a OS without a packetfilter