Setting the default firewall configuration (was Re: Attention, dependency fighters)
Reindl Harald
h.reindl at thelounge.net
Thu Nov 15 18:08:57 UTC 2012
Am 15.11.2012 19:02, schrieb Miloslav Trmač:
> On Thu, Nov 15, 2012 at 6:16 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 15.11.2012 18:06, schrieb Adam Williamson:
>>> Right. I hate to say it, but Harald is correct here: AFAIK, all those
>>> and other firewall configuration mechanisms were ultimately just
>>> UI/abstraction layers wrapped around iptables. They wrote iptables
>>> rules. firewalld is very different.
>
> (Side-reply to Adam:) I can't see the difference; /sbin/iptables still
> works if you have firewalld running.
>
>> i am one of the second groups and doing DISTRIBUTED iptables-configurations
>> for whole infrastructures since many years and using here any capability
>> of iptables which can be hardly covered with abstraction layers
>
> It would be very helpful for judging the maturity/suitability of
> firewalld if you could try converting your iptables script to
> firewall-cmd --direct (which, at least I hope, should be possible to
> do with a few sed commands), and report back whether the pass-through
> capability is good enough.
you CAN NOT easily convert iptables.sh scripts containing
hundrets of commands in a specific order which are well tested
over years and your replacment for any hardware firewall/router
this things are not written at once
this things are growed, optimized and maintained over years
this things are tested in zones where security is hardly needed
it is a bad idea to touch them and re-test it all in production
as you can IMPOSSIBLE build a infrastructure with tons of severs
and clients with very specific block/reject/allow in a test
environment without wasting hundrests of hours of your work
and the main problem: this thinhs are working fine since forever
you will have no benefit to convert them to something else
it is one thing to develop new tools and abstraction layers
a whole different story is throw away perfect workloads for nothing
in the time we discuss this here someone could maintain iptables.service
the next 20 years at all!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121115/5372800e/attachment.sig>
More information about the devel
mailing list