firewalld vs iptables vs ? as default (was Comparison to Workstation Technical Specification)

Russell Doty rdoty at redhat.com
Mon Mar 10 15:39:11 UTC 2014 

On Fri, 2014-03-07 at 10:52 -0500, Simo Sorce wrote:
> On Thu, 2014-03-06 at 15:49 -0700, Stephen John Smoogen wrote:
> > My understanding was that the roles commands were items that the
> > system administrator ran to set up a system to do a certain task and
> > was set up to be done for the 60% of the environments which aren't
> > going to play with defaults in any case.
> 
> Exactly, the idea of a role is to have a standard way to deploy some
> well defined services we classify as 'roles'. The aim is to have the
> roles fully functional once configured. The definition of 'fully
> functional' is role-specific of course.
> 
> >  So these were my assumptions:
> > 1) The systems administrator is running these commands.
> > 2) The system administrator level being aimed for is more where they
> > have a task to do and just want it to work without knowing all these
> > things. (EG the people who will install cpanel, webadmin, etc without
> > a thought.) We are just wanting that when they set up those commands
> > they get a working secure default.
> > 3) The goal is to get these systems up without the admin following the
> > usual howto of
> 
> [snip]
> 
> Yes, this is correct, moreover if the admin is expert and has taken the
> time to read the role documentation (or has experimented previously) I
> expect he will be able to find the additional command line switches of
> the 'configure-role' command to change defaults for specific high level
> configuration items if he needs/wants to.
> 
> So in the firewall case I see a more expert admin passing in at
> invocation time the policy he wants to enforce when it comes to opening
> firewall ports. If he doesn't, the role-default will be used instead.
> 
> Simo.
> 
To jump in here, the majority of customers (based on primary and
secondary research) turn off the Linux firewall.

They do this for two reasons:

* The Linux firewall interferes with applications.

* The Linux firewall can't be centrally managed.

Firewalld is a starting point for enabling centralized management of
Linux firewalls. Server Roles are a step toward having the firewall not
interfere with the application, by configuring the firewall as part of
the application installation.

Server Roles should improve security by encouraging more people to leave
the Linux Firewall turned on.

Russ

More information about the server mailing list