Services automaticly change firewall rules to open access to themselfs.
Arthur Pemberton
pemboa at gmail.com
Mon Aug 20 17:33:12 UTC 2007
On 8/20/07, Jon Ciesla <limb at jcomserv.net> wrote:
>
> > Am Montag, den 20.08.2007, 12:54 -0400 schrieb Simo Sorce:
> >> On Mon, 2007-08-20 at 12:40 -0400, Jeremy Katz wrote:
> >> > On Mon, 2007-08-20 at 16:20 +0000, "Jóhann B. Guðmundsson" wrote:
> >> > > Any thoughts on implementing automatically port opening for service
> >> > > that need to open port access in the firewall
> >> > > as in when service is started that needs port opening it would
> >> > > automatically read some firewall.conf
> >> > > file for that and open the port automatically according to those
> >> > > settings in the firewall.conf file
> >> > > ( add the iptables rules automatically when the service is started
> >> and
> >> > > remove those rules when the service is stopped )
> >> > >
> >> > > Doing chkconfig service or service service start/stop and it would
> >> also
> >> > > open the port for that service in the firewall
> >> >
> >> > I think it's a great idea and would go a long way towards making
> >> things
> >> > more usable. One of the questions is do you do the firewall change on
> >> > service start/stop or at chkconfig time. And I'm a little bit torn on
> >> > that one. chkconfig time makes it "simpler" as far as not requiring
> >> > initscript changes. start/stop seems like it's probably more
> >> "correct",
> >> > but would then require initscripts to call a new function on
> >> start/stop
> >>
> >> Why should it be "more correct" to do it at start/stop ?
> >> It seem more correct to do it at chkconfig, so that even if you stop the
> >> service and iptables -Lv will show you what is the "normal" firewall
> >> situation.
> >>
> >> Letting services poke holes in the firewall is not something admins will
> >> really love, if I set a rule to block traffic for a certain service I
> >> _really_mean it and I don't want to have to change the init scripts or
> >> have to reapply the rule each time I start/stop a service.
> >
> > No, in fact I would hate it with a vengeance.
> >
> > If I have an apache server listening for traffic, that doesn't mean I
> > want people outside my network connecting to it; nor do I want people
> > connecting to my ssh server.
> >
> > Why not just disable the firewall altogether? That would have the effect
> > you are looking for: all services that are running can accept connections.
> >
>
> I run custom firewall rules. If you can get this idea to play nicely with
> my custom script, and with Shorewall setups, and with s-c-securitylevel,
> go for it. But I'm highly sceptical. If installing squid blows up my
> custom firewall settings, I'm getting out my pitchfork. :)
>
Hence why I suggest doing this through s-c-secuirtylevel so that that
functionality can centrally be disabled
--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the devel
mailing list