firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Simo Sorce
simo at redhat.com
Mon Mar 3 22:13:55 UTC 2014
On Mon, 2014-03-03 at 19:08 +0100, Miloslav Trmač wrote:
> 1) The computer is assumed to be competently administered[1] on a
> homogenous network. This implies that any service running with an
> open port is intended to run and have that port open, so there is no
> point with restricting it with a firewall. There is obviously no
> point in restricting closed ports with a firewall. With this
> assumption, firewall should be either completely absent or permitting
> almost all traffic (or perhaps enforcing some kind of minimal policy,
> filtering out clearly bogus packets) by default.
>
I think that you badly characterize this case (and perhaps 2 too).
What I think you fail to address is the case where the administrator is
competent but the *users* of the system may not be.
In this case services configured and run by the administrator should
poke holes, but in general other ports should be firewalled because
users may inadvertently run services that open ports w/o realizing it.
This is the case where a firewall make sense as a default installation
even though roles are allowed to automatically poke holes at
configuration time.
Simo.
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the server
mailing list