Firewall
Richard W.M. Jones
rjones at redhat.com
Tue Dec 7 21:30:23 UTC 2010
On Tue, Dec 07, 2010 at 08:16:11PM +0100, Matej Cepl wrote:
> Dne 7.12.2010 19:57, Stephen John Smoogen napsal(a):
> > Or something like that. I do remember a lot of over-engineering and
> > then a very simple it does this from Alan. And I remember a lot of
> > issues we were having with customers going away after having them run
> > it.
>
> There is something weird about firewalls ... whenever anybody starts to
> write about them, the result is super-over-complicated unreadable junk.
> After fighting with firewalls for years, and while I thought that they
> are something scary, I was enlightened in RHCE training, and since then
> I have this script (http://mcepl.fedorapeople.org/tmp/iptables-script
> ... the current revision) and it works for me well. Sure, ability to
> write trivial bash scripts is required, but I don't thing nothing over
> the ability of most people using RHEL. Weird. And yes, this is very much
> workstation-style laptop, and this serves me well whenever I came with it.
I'm sure that script works fine for you, but ...
The issue we face with libvirt is it needs to be able to add extra
rules to the existing firewall, and have those rules added in the
right place, and preserved across firewall restarts, reboots and so
on. There are other services which need to add rules too (see cups
mentioned previously in this thread).
Unfortunately a shell script, or lokkit, has not been able to handle
this gracefully. The question is what should replace it (I am
favouring /etc/iptables.d/ but as you can see other people disagree
with me).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
More information about the devel
mailing list