Re: firewall configuring

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Tim <ignored_mailbox@xxxxxxxxxxxx> writes:

> Allegedly, on or about 13 November 2012, lee sent:
>> Great, that is going to conflict with my shorewall configuration when I
>> update.  And running another daemon process all the time for something
>> that rarely ever changes once it's set up?  Adding even more
>> dependencies with networkmanager?  Involving d-bus which is something
>> nobody understands?  That just sucks.
>
> I tend to agree.
>
> However, I can see one need for a daemon, though wonder whether it does
> anything about it:  Things that actually require dynamic firewall
> configuration, such as the random port used by FTP, UPnP thingoes, et
> cetera.  If it doesn't actually provide a solution to problems like
> them, then what's the point?

They are saying on the web page that it has the advantages of not
unloading the modules and being able to change FW configuration without
interrupting connections and while keeping the firewall up.  I've never
had problems with that on Debian --- they are right though in that
restarting shorewall would take the firewall down during the restart.
I've never had issues with interrupted connections because of that.

These are particularities of the implementation, though.  There's no
need to unload the modules, so something on Fedora must be intentionally
unloading them.  That the firewall is taken down rather than acutally
modified when shorewall is stopped is shorewalls implementation.

A constantly running daemon that can quietly modify firewall rules looks
like a nice tool for creating security problems.

I'd vote for making shorewall the default firewall in Fedora instead.
Where can we make suggestions like that?


FTP isn't using random ports.  It's using two ports, and firewalls need
to be set up correctly to deal with that.  There's a kernel module for
this very purpose.

When starting shorewall, I'm getting messages like 'xt_CT: No such
helper "ftp-0"' in /var/log/messages.  I haven't looked into that yet
--- any idea what they are supposed to tell me and what to do about it?


-- 
Fedora 17
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux