firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Stephen John Smoogen
smooge at gmail.com
Thu Mar 6 22:06:28 UTC 2014
On 6 March 2014 14:54, Reindl Harald <h.reindl at thelounge.net> wrote:
>
>
> Am 06.03.2014 22:43, schrieb Stephen Gallagher:
> > On 03/06/2014 04:28 PM, Reindl Harald wrote:
> >
> >> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
> >>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo at redhat.com
> >>> <mailto:simo at redhat.com>>: Sorry I do not understand what you are
> >>> saying here.
> >>>
> >>> $ fedora-role-deploy postgresql # Huh, it is refusing
> >>> connections? # Ah, firewall... $ fedora-role-deploy
> >>> --open-firewall-ports potgresql # That's how it is done in
> >>> Fedora, then. Good to know.
> >
> >> right direction
> >
> >>> # Time passes...
> >>>
> >>> $ fedora-role-deploy freeipa # Huh, this is already accessible?
> >
> >> that must not happen
> >
> >> * not from usability point of view * not from security point of
> >> view - *no* open ports *never ever* as default
> >
> > The debate here is where you draw the line as to "what is default".
> > Deploying a role is *NOT* the same as just installing a package. For
> > package installs, I absolutely agree that we should never be poking
> > holes in the firewall.
>
> i draw the line *strict*
>
> if i deploy whatever role nobody than me is responsible to open
> firewall ports because nobody than me can know if it is sane
> to do so or what i have planned after the depolyment before
> go in production
>
>
Then in this case, you wouldn't want to use Roles in any form as they
aren't going to help you any. You aren't the target audience for them..
trying to make you the target audience would only work in your environment
and no one elses.
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/server/attachments/20140306/24d2adc1/attachment.html>
More information about the server
mailing list