firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)
Simo Sorce
simo at redhat.com
Thu Mar 6 22:36:42 UTC 2014
On Thu, 2014-03-06 at 17:12 -0500, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 03/06/2014 05:06 PM, Stephen John Smoogen wrote:
> >
> >
> >
> > On 6 March 2014 14:54, Reindl Harald <h.reindl at thelounge.net
> > <mailto:h.reindl at thelounge.net>> wrote:
> >
> >
> >
> > Am 06.03.2014 22:43, schrieb Stephen Gallagher:
> >> On 03/06/2014 04:28 PM, Reindl Harald wrote:
> >>
> >>> Am 06.03.2014 22:13, schrieb Miloslav Trmač:
> >>>> 2014-03-06 22:03 GMT+01:00 Simo Sorce <simo at redhat.com
> > <mailto:simo at redhat.com>
> >>>> <mailto:simo at redhat.com <mailto:simo at redhat.com>>>: Sorry I
> >>>> do
> > not understand what you are
> >>>> saying here.
> >>>>
> >>>> $ fedora-role-deploy postgresql # Huh, it is refusing
> >>>> connections? # Ah, firewall... $ fedora-role-deploy
> >>>> --open-firewall-ports potgresql # That's how it is done in
> >>>> Fedora, then. Good to know.
> >>
> >>> right direction
> >>
> >>>> # Time passes...
> >>>>
> >>>> $ fedora-role-deploy freeipa # Huh, this is already
> >>>> accessible?
> >>
> >>> that must not happen
> >>
> >>> * not from usability point of view * not from security point
> >>> of view - *no* open ports *never ever* as default
> >>
> >> The debate here is where you draw the line as to "what is
> >> default". Deploying a role is *NOT* the same as just installing a
> >> package. For package installs, I absolutely agree that we should
> >> never be poking holes in the firewall.
> >
> > i draw the line *strict*
> >
> > if i deploy whatever role nobody than me is responsible to open
> > firewall ports because nobody than me can know if it is sane to do
> > so or what i have planned after the depolyment before go in
> > production
> >
> >
> > Then in this case, you wouldn't want to use Roles in any form as
> > they aren't going to help you any. You aren't the target audience
> > for them.. trying to make you the target audience would only work
> > in your environment and no one elses.
> >
>
> I don't think that's necessarily a fair statement. We fully intend for
> the firewall control on these Roles to be easy to turn off and on at
> will. Upgrades should never change that state[1]. I don't see any
> reason why, under those conditions, Roles couldn't work for Mr. Reindl.
>
>
> [1] I think I can reasonably assert this without controversy.
weeeelll, we had some ports change in freeipa, we used to open 8443 and
then we changed to proxy everything via 443, so technically we would
like to 'close' a port on update if we were back then :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the server
mailing list