Thomas Woerner wrote:
> Please think of a scenario like this: Service A is adding
> firewall rules for opening port 20 and 21 (ftp-data and ftp) for
> everyone and service B is opening port 20 and 21 only for a specific
> network segment. What do you want to have here? If you apply A's rules
> first then 20 and 21 is open for everyone and the rules from B are not
> used at all. But if you apply B's rules first, ... What is the right
> ordering here? Should A or B win?
The conflict is there only if you are thinking something like this:
//A
if(port==(20-21)) PERMIT else DENY;
//B
if(port==(20-21)) {if(net==trusted) PERMIT; else DENY;}
where the behavior changes if you change the order of A and B.
But I have always seen firewalls rules written as "holes", with a default
deny rule at the end:
//A
if(port==(20-21)) PERMIT;
//B
if(port==(20-21) && net==trusted) PERMIT;
//default
DENY;
In this case there is no dependence on the ordering.
Am I missing something?
--
Roberto Ragusa mail at robertoragusa.it
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
