firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Reindl Harald
h.reindl at thelounge.net
Thu Mar 6 21:54:27 UTC 2014
Am 06.03.2014 22:43, schrieb Stephen Gallagher:
> On 03/06/2014 04:28 PM, Reindl Harald wrote:
>
>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo at redhat.com
>>> <mailto:simo at redhat.com>>: Sorry I do not understand what you are
>>> saying here.
>>>
>>> $ fedora-role-deploy postgresql # Huh, it is refusing
>>> connections? # Ah, firewall... $ fedora-role-deploy
>>> --open-firewall-ports potgresql # That's how it is done in
>>> Fedora, then. Good to know.
>
>> right direction
>
>>> # Time passes...
>>>
>>> $ fedora-role-deploy freeipa # Huh, this is already accessible?
>
>> that must not happen
>
>> * not from usability point of view * not from security point of
>> view - *no* open ports *never ever* as default
>
> The debate here is where you draw the line as to "what is default".
> Deploying a role is *NOT* the same as just installing a package. For
> package installs, I absolutely agree that we should never be poking
> holes in the firewall.
i draw the line *strict*
if i deploy whatever role nobody than me is responsible to open
firewall ports because nobody than me can know if it is sane
to do so or what i have planned after the depolyment before
go in production
frankly nobody than me knows for what usage the role is intended
inside the LAN, specific IP's in the LAN or even the whole world
and while nobody than me can now that nobody but me has to open ports
open firewall ports is always the last setp due going in production
there should be no but and if because that is what windows does
and that's why i am using Linux
________________________
recently faced on a Win2008R2 acting as vCenter server
* install VMware packages -> ports in the firewall are opened
* well, iclosed them *all* exept two single LAN IP's
* months later -> update of whatever package
* followed by the monthly security scan inside the LAN
* one check is if the complete vCenter server is *unreachable*
* voila, a few ports opened again
no, i do not want such mis.behavior on any system i would call sane
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/server/attachments/20140306/3a51fa14/attachment.sig>
More information about the server
mailing list