Services automaticly change firewall rules to open access to themselfs.

Jon Ciesla limb at jcomserv.net
Mon Aug 20 17:07:43 UTC 2007 

> Am Montag, den 20.08.2007, 12:54 -0400 schrieb Simo Sorce:
>> On Mon, 2007-08-20 at 12:40 -0400, Jeremy Katz wrote:
>> > On Mon, 2007-08-20 at 16:20 +0000, "Jóhann B. Guðmundsson" wrote:
>> > > Any thoughts on implementing  automatically port opening for service
>> > > that need to open port access in the firewall
>> > > as in when service is started that needs port opening it would
>> > > automatically read some firewall.conf
>> > > file for that and open the port automatically according to those
>> > > settings in the firewall.conf file
>> > > ( add the iptables rules automatically when the service is started
>> and
>> > > remove those rules when the service is stopped )
>> > >
>> > > Doing chkconfig service or service service start/stop and it would
>> also
>> > > open the port for that service in the firewall
>> >
>> > I think it's a great idea and would go a long way towards making
>> things
>> > more usable.  One of the questions is do you do the firewall change on
>> > service start/stop or at chkconfig time.  And I'm a little bit torn on
>> > that one.  chkconfig time makes it "simpler" as far as not requiring
>> > initscript changes.  start/stop seems like it's probably more
>> "correct",
>> > but would then require initscripts to call a new function on
>> start/stop
>>
>> Why should it be "more correct" to do it at start/stop ?
>> It seem more correct to do it at chkconfig, so that even if you stop the
>> service and iptables -Lv will show you what is the "normal" firewall
>> situation.
>>
>> Letting services poke holes in the firewall is not something admins will
>> really love, if I set a rule to block traffic for a certain service I
>> _really_mean it and I don't want to have to change the init scripts or
>> have to reapply the rule each time I start/stop a service.
>
> No, in fact I would hate it with a vengeance.
>
> If I have an apache server listening for traffic, that doesn't mean I
> want people outside my network connecting to it; nor do I want people
> connecting to my ssh server.
>
> Why not just disable the firewall altogether? That would have the effect
> you are looking for: all services that are running can accept connections.
>

I run custom firewall rules.  If you can get this idea to play nicely with
my custom script, and with Shorewall setups, and with s-c-securitylevel,
go for it.  But I'm highly sceptical.  If installing squid blows up my
custom firewall settings, I'm getting out my pitchfork. :)

>>
>> Simo.
>>
>>
>
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>


-- 
novus ordo absurdum

More information about the devel mailing list