Am Montag, den 20.08.2007, 12:54 -0400 schrieb Simo Sorce: > On Mon, 2007-08-20 at 12:40 -0400, Jeremy Katz wrote: > > On Mon, 2007-08-20 at 16:20 +0000, "Jóhann B. Guðmundsson" wrote: > > > Any thoughts on implementing automatically port opening for service > > > that need to open port access in the firewall > > > as in when service is started that needs port opening it would > > > automatically read some firewall.conf > > > file for that and open the port automatically according to those > > > settings in the firewall.conf file > > > ( add the iptables rules automatically when the service is started and > > > remove those rules when the service is stopped ) > > > > > > Doing chkconfig service or service service start/stop and it would also > > > open the port for that service in the firewall > > > > I think it's a great idea and would go a long way towards making things > > more usable. One of the questions is do you do the firewall change on > > service start/stop or at chkconfig time. And I'm a little bit torn on > > that one. chkconfig time makes it "simpler" as far as not requiring > > initscript changes. start/stop seems like it's probably more "correct", > > but would then require initscripts to call a new function on start/stop > > Why should it be "more correct" to do it at start/stop ? > It seem more correct to do it at chkconfig, so that even if you stop the > service and iptables -Lv will show you what is the "normal" firewall > situation. > > Letting services poke holes in the firewall is not something admins will > really love, if I set a rule to block traffic for a certain service I > _really_mean it and I don't want to have to change the init scripts or > have to reapply the rule each time I start/stop a service. No, in fact I would hate it with a vengeance. If I have an apache server listening for traffic, that doesn't mean I want people outside my network connecting to it; nor do I want people connecting to my ssh server. Why not just disable the firewall altogether? That would have the effect you are looking for: all services that are running can accept connections. > > Also what networks do you plan to apply this to? (at minimum you have lo > and eth0 interfaces, and you may have also tun0 or others) > all? some? which? > (I use samba + cifs on a pair of machines and I have firewall ruels to > allow that _only_ on the vpn connecting the 2: eg. NO CIFS connections > on eth0/eth1 etc...) > > Simo. > > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
