Setting the default firewall configuration (was Re: Attention, dependency fighters)

Reindl Harald h.reindl at thelounge.net
Thu Nov 15 18:46:43 UTC 2012 


Am 15.11.2012 19:37, schrieb Kevin Fenzi:
>>> Have you actually _tried_?  It's supposed to be as easy as
>>> s/iptables/firewall-cmd --direct --passthrough ipv4/
>>>
>>> I don't know for a fact whether it is good enough.  You seem to
>>> have a script that could tell us.
>>
>> i posted a script realier this day as .txt file with
>> masked network details, but it did not go trough list
>> moderation AFAIK until now
> 
> Everyone on this list doesn't need a copy of your (lengthy) iptables
> script, IMHO. 
> 
> Perhaps the two of you could continue this off line and test and report
> back to the list? 

your argumentation is NOT helpful

i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE
i can NOT post a unmasked version with ip-addresses and hostnames
i can NOT simulate a whole network with around 100 machines

even i could do this all, it wozld be VERY difficult to RE-AUDIT
the whole configuration and security-layers which are hardly
to explain because usually infrastructure and network-segments
you want to isolate in both directions is grwoing over years
and not there at once

and this is why REMOEV iptables.service would cause A LOT of work
and auditing while you risk security troubles while you are at
working on this for a more or less non existing benfit

this is why it would be NOT a good idea to remove "iptables.service"

some of this setups are hunderts of kilometers away
the "iptables.sh" there is the ROUTER
you can not test this remote because if you make a small mistake
you have lost the game and the remote network is down and having
everywhere lights-out-managment is a nice wish but in reality
you do NOT want LOM exposed to the internet, so it is BEHIND this
iptables-etups you play around

REALLY: there is nothing more i can say to this topic
it is not my decision if people drop iptables.service and make a
big wasting of ressources and security while doing this all over
the world - but people should keep in mind what damage they are
doing if acting this way




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121115/b9facdfd/attachment.sig>

More information about the devel mailing list