firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Stephen John Smoogen
smooge at gmail.com
Thu Mar 6 22:30:41 UTC 2014
On 6 March 2014 15:12, Stephen Gallagher <sgallagh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/06/2014 05:06 PM, Stephen John Smoogen wrote:
> >
> >
> >
> > On 6 March 2014 14:54, Reindl Harald <h.reindl at thelounge.net
> > <mailto:h.reindl at thelounge.net>> wrote:
> >
> >
> >
> > Am 06.03.2014 22:43, schrieb Stephen Gallagher:
> >> On 03/06/2014 04:28 PM, Reindl Harald wrote:
> >>
> >>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
> >>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo at redhat.com
> > <mailto:simo at redhat.com>
> >>>> <mailto:simo at redhat.com <mailto:simo at redhat.com>>>: Sorry I
> >>>> do
> > not understand what you are
> >>>> saying here.
> >>>>
> >>>> $ fedora-role-deploy postgresql # Huh, it is refusing
> >>>> connections? # Ah, firewall... $ fedora-role-deploy
> >>>> --open-firewall-ports potgresql # That's how it is done in
> >>>> Fedora, then. Good to know.
> >>
> >>> right direction
> >>
> >>>> # Time passes...
> >>>>
> >>>> $ fedora-role-deploy freeipa # Huh, this is already
> >>>> accessible?
> >>
> >>> that must not happen
> >>
> >>> * not from usability point of view * not from security point
> >>> of view - *no* open ports *never ever* as default
> >>
> >> The debate here is where you draw the line as to "what is
> >> default". Deploying a role is *NOT* the same as just installing a
> >> package. For package installs, I absolutely agree that we should
> >> never be poking holes in the firewall.
> >
> > i draw the line *strict*
> >
> > if i deploy whatever role nobody than me is responsible to open
> > firewall ports because nobody than me can know if it is sane to do
> > so or what i have planned after the depolyment before go in
> > production
> >
> >
> > Then in this case, you wouldn't want to use Roles in any form as
> > they aren't going to help you any. You aren't the target audience
> > for them.. trying to make you the target audience would only work
> > in your environment and no one elses.
> >
>
> I don't think that's necessarily a fair statement. We fully intend for
> the firewall control on these Roles to be easy to turn off and on at
> will. Upgrades should never change that state[1]. I don't see any
> reason why, under those conditions, Roles couldn't work for Mr. Reindl.
>
>
I didn't say that roles couldn't work, just that he isn't the target
audience. From what I have read through the years, Harald has a very strict
setup which he knows very well and works well for what he needs done.
However doing any sort of configuration management outside of what he has
in place is going to cause problems. They are ones that can be worked
around but you would need to make sure that the default of every role
command is noop. Only after he had configured, edited and audited the tasks
would he want them to be anything else.
Note this isn't meant to be derogatory to H. Reindl and if it comes across
I am sorry.. I have a lot of respect for people who work in such
environments and realize that there is a LOT of need for it. I also know
that if you are designing a product to meet those types of environments you
need to know from the start that 1) nothing happens without express
commands and 2) nothing is to be hard coded but configurable before a role
is deployed. It usually means where you could come up with a 'generic' 60%
solution in 20 lines of code, you now need a 4000 line of code to deal with
all the alternatives and options that will come up.
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/server/attachments/20140306/bd2f4ca1/attachment-0001.html>
More information about the server
mailing list