Am 06.03.2014 22:43, schrieb Stephen Gallagher:
> On 03/06/2014 04:28 PM, Reindl Harald wrote:i draw the line *strict*
>
>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo@redhat.com
>>> <mailto:simo@redhat.com>>: Sorry I do not understand what you are
>>> saying here.
>>>
>>> $ fedora-role-deploy postgresql # Huh, it is refusing
>>> connections? # Ah, firewall... $ fedora-role-deploy
>>> --open-firewall-ports potgresql # That's how it is done in
>>> Fedora, then. Good to know.
>
>> right direction
>
>>> # Time passes...
>>>
>>> $ fedora-role-deploy freeipa # Huh, this is already accessible?
>
>> that must not happen
>
>> * not from usability point of view * not from security point of
>> view - *no* open ports *never ever* as default
>
> The debate here is where you draw the line as to "what is default".
> Deploying a role is *NOT* the same as just installing a package. For
> package installs, I absolutely agree that we should never be poking
> holes in the firewall.
if i deploy whatever role nobody than me is responsible to open
firewall ports because nobody than me can know if it is sane
to do so or what i have planned after the depolyment before
go in production