Firewall
Genes MailLists
lists at sapience.com
Tue Dec 7 03:50:48 UTC 2010
On 12/06/2010 06:40 PM, seth vidal wrote:
> On Mon, 2010-12-06 at 16:10 -0700, Orion Poplawski wrote:
>
>> But once we're talking about OVERWHELMINGLY LARGE NUMBER OF SERVER INSTALLS,
>> aren't we also talking about kickstart and other automated management tools
>> with which configuring things away from their default values is a standard and
>> fairly straightforward thing to do?
>
>
> I am mostly concerned with surprising folks who have expected it to be
> on.
>
> But you know -what - you have a fair point.
>
> if we make this change, as long as we make it a feature and publicize
> the heck out of it, I'm fine w/that.
* My firewalls have a lot of rules - huge number really - they are
hand crafted and scripted directly into iptables-restore format so they
load extremely fast.
* We are perfectly happy doing this and it is tested and robust.
* On my laptop I could be convinced to use a more 'dynamic' tool ..
provided it did not reduce security (by some appropriate measure).
* As long as it continues to be easy to continue to use standard
static iptables I'd be fine with the additions. Static should be the
default on any 'server' like install as sv suggested -
* This reminds me to ask .. is ipset available on f14 yet? That is
something that could be very useful for us .... it is not in f13 and
would be a lovely addition to f14 .. :-)
* Will fedora bring app-armor (and GUI's tools perhaps) as an selinux
partner for f15 now that its accepted in upstream kernel too ?
gene/
More information about the devel
mailing list