firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Stephen Gallagher
sgallagh at redhat.com
Thu Mar 6 22:12:00 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/06/2014 05:06 PM, Stephen John Smoogen wrote:
>
>
>
> On 6 March 2014 14:54, Reindl Harald <h.reindl at thelounge.net
> <mailto:h.reindl at thelounge.net>> wrote:
>
>
>
> Am 06.03.2014 22:43, schrieb Stephen Gallagher:
>> On 03/06/2014 04:28 PM, Reindl Harald wrote:
>>
>>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
>>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo at redhat.com
> <mailto:simo at redhat.com>
>>>> <mailto:simo at redhat.com <mailto:simo at redhat.com>>>: Sorry I
>>>> do
> not understand what you are
>>>> saying here.
>>>>
>>>> $ fedora-role-deploy postgresql # Huh, it is refusing
>>>> connections? # Ah, firewall... $ fedora-role-deploy
>>>> --open-firewall-ports potgresql # That's how it is done in
>>>> Fedora, then. Good to know.
>>
>>> right direction
>>
>>>> # Time passes...
>>>>
>>>> $ fedora-role-deploy freeipa # Huh, this is already
>>>> accessible?
>>
>>> that must not happen
>>
>>> * not from usability point of view * not from security point
>>> of view - *no* open ports *never ever* as default
>>
>> The debate here is where you draw the line as to "what is
>> default". Deploying a role is *NOT* the same as just installing a
>> package. For package installs, I absolutely agree that we should
>> never be poking holes in the firewall.
>
> i draw the line *strict*
>
> if i deploy whatever role nobody than me is responsible to open
> firewall ports because nobody than me can know if it is sane to do
> so or what i have planned after the depolyment before go in
> production
>
>
> Then in this case, you wouldn't want to use Roles in any form as
> they aren't going to help you any. You aren't the target audience
> for them.. trying to make you the target audience would only work
> in your environment and no one elses.
>
I don't think that's necessarily a fair statement. We fully intend for
the firewall control on these Roles to be easy to turn off and on at
will. Upgrades should never change that state[1]. I don't see any
reason why, under those conditions, Roles couldn't work for Mr. Reindl.
[1] I think I can reasonably assert this without controversy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMY8rAACgkQeiVVYja6o6M2dgCgnKZlq/SImznk3IneEWQ9tnoX
OssAmQHcWhxVf9ihhHEz7gkK/YclAsbS
=2NYF
-----END PGP SIGNATURE-----
More information about the server
mailing list