firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Simo Sorce
simo at redhat.com
Tue Mar 4 20:31:29 UTC 2014
On Tue, 2014-03-04 at 14:07 +0100, Miloslav Trmač wrote:
> I see having a firewall running by default, but punching holes in it
> by default, without explicit user involvement, as such a case: the
> underlying reason to have a firewall seems to be defeated by the way
> the firewall is being used.
Here lies the error of your reasoning.
Roles do not do anything without *explicit user involvement*.
You actually have to install *and* setup a role on your system to poke
any hole.
And not poking holes for some roles makes no sense, because the role can
only be used (in the common case) if it is reachable from the network,
and if it is unreachable it does not work.
One of the assumptions for roles is that we want to have them working as
intended once the setup is complete.
Roles that are not clear cases, as said in the last meeting, will offer
a way for the admin to tell what to do, however their default will
depend on what we think is the best default.
For example I think the best default for the domain controller role will
be to open the firewall, while the best default for the database role
will be to keep it closed.
The point is: roles should provide firewall rules and apply the
appropriate default, however admins should be able to override the
default at setup time.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the server
mailing list