On Fri, Oct 31, 2014 at 02:42:03AM +0000, Always Learning wrote:
> Assuming the IPtables firewall is logically designed, it is very easy to
> see exactly where you need to place the command. Your wish to delegate a
> simple placement to the software suggests you are not well familiar with
> the design and construction of your IPtables firewall. firewalld is
> probably ideal for you, but I perfect the precision and flexibility of
> IPtables (perhaps because I am an assembler programmer at heart)
If you manage your systems through a configuration manage system like
puppet, chef or bcfg2, managing the monolithic /etc/sysconfig/iptables
is a pain. I ended up templating it, and having various group
memberships define how the file is created from the template.
One of the features firewalld brings is being able to place different
configuration parts into separate files, to be incorporated into the
firewall dynamically. This is a dev web host? It gets a zone letting
only the developers access httpd. This other system is a production
mysql server? Define the zone allowing the production application
servers access to the mysql port. Have each configuration bundle that
defines a service drop in a service definition.
--
Jonathan Billings <billings@xxxxxxxxxx>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
