Roberto Ragusa wrote:
Thomas Woerner wrote:
Please think of a scenario like this: Service A is adding
firewall rules for opening port 20 and 21 (ftp-data and ftp) for
everyone and service B is opening port 20 and 21 only for a specific
network segment. What do you want to have here? If you apply A's rules
first then 20 and 21 is open for everyone and the rules from B are not
used at all. But if you apply B's rules first, ... What is the right
ordering here? Should A or B win?
The conflict is there only if you are thinking something like this:
//A
if(port==(20-21)) PERMIT else DENY;
//B
if(port==(20-21)) {if(net==trusted) PERMIT; else DENY;}
where the behavior changes if you change the order of A and B.
But I have always seen firewalls rules written as "holes", with a default
deny rule at the end:
//A
if(port==(20-21)) PERMIT;
//B
if(port==(20-21) && net==trusted) PERMIT;
//default
DENY;
A wins here. The first matching rule will be used. Therefore there is no
restriction for a trusted network. So your ftp server will be available
for everyone - even in a public wifi.
In this case there is no dependence on the ordering.
Am I missing something?
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
