Setting the default firewall configuration (was Re: Attention, dependency fighters)

Reindl Harald h.reindl at thelounge.net
Thu Nov 15 19:06:30 UTC 2012



Am 15.11.2012 19:58, schrieb Adam Williamson:
> I don't think anyone asked you to do any of those things. Fedora
> obviously does not have the power to replace iptables with firewalld on
> your router, so the question is not 'can you replace iptables with
> firewalld on everything in your network and see if it works'. The
> question is more 'can you see if firewalld does a good job of imitating
> iptables on a single Fedora machine on your network, or a small amount
> of them'. The whole point is it should be able to imitate an
> iptables-type setup fairly transparently, so it should 'play nice' with
> the rest of your setup. Can't you just test that?

and that is why i posted earlier this day a masked copy of the script

ONE script distributed from a admin-server is deplayoed to ANY
machine and exuted with "ssh root at machine /scripts/iptables.sh"

this thing was written, optimized and maintained for many years
it containes rules to block specific outgoing AND incoming
connections in a more or less dynmic infrastructure

there is no "this is the iptables of machine X"

i am not only responsible for ONE network, there are finally
MANY networks, they are more or less based on this one script

the reason is simply that if you have, can and do maintain
larger environemnts more or less a a one-man-show you need to
find workloads and solutions to surivive this which is achievd
since years - starting tis from scratch means wasting weeks of
lifetime

don't get me wrong: force this would be no improvement

finally: i am pretty sure that my environments are even SMALL
compared with many others out there, iptables-service is a one-shot
thing at startup, low-level this all is netfilter of the kernel

so i refuse to understand any sense removing the iptables command
and "iptables.service" to replace it for the sake of replacment

if your argumentation would be this direction i would say
"so why do we not remove XFCE, GNOME whatever because KDE exists"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20121115/2a90cb43/attachment.sig>


More information about the devel mailing list