On Wed, 2014-02-26 at 10:03 +0200, Jonathan Dieter wrote:
On Tue, 2014-02-25 at 16:47 -0500, Simo Sorce wrote:
> On Tue, 2014-02-25 at 15:42 -0500, Stephen Gallagher wrote:
> > I would extend this statement to include that the deployment of Server
> > Roles should also adjust the firewall operation in a manner consistent
> > with user expectation.
>
> Are we going to use something like firewalld or something else ?
Just want to ask this question again, with an additional one. What does
firewalld give us that iptables doesn't in a server environment? Should
we default to iptables instead? Are there other alternatives we should
consider?
To be honest my question is more about: what is the point of doing
this ?
Do we have applications that we do not trust and open unwanted ports ?
If we do not trust them why do we install them ?
If we trust them why do we firewall them ?
Considering that the default policy on Fedora is not not start daemon
automatically I am trying to understand why having a firewall configured
by default is a good idea.
Note that I am not saying it is not, but it seem one of those Security
Dogma that has gone on w/o much formalizing the actual reasons why it
makes sense to have a local firewall installed.
Keep in mind that I make an absolute distinction between local firewall
and perimeter firewall, the latter is about not trusting all machines in
a network to be configured correctly or according to an organization
policy which is a completely different use case from a local firewall.
Simo.
--
Simo Sorce * Red Hat, Inc * New York