> Am Montag, den 20.08.2007, 12:54 -0400 schrieb Simo Sorce: >> On Mon, 2007-08-20 at 12:40 -0400, Jeremy Katz wrote: >> > On Mon, 2007-08-20 at 16:20 +0000, "Jóhann B. Guðmundsson" wrote: >> > > Any thoughts on implementing automatically port opening for service >> > > that need to open port access in the firewall >> > > as in when service is started that needs port opening it would >> > > automatically read some firewall.conf >> > > file for that and open the port automatically according to those >> > > settings in the firewall.conf file >> > > ( add the iptables rules automatically when the service is started >> and >> > > remove those rules when the service is stopped ) >> > > >> > > Doing chkconfig service or service service start/stop and it would >> also >> > > open the port for that service in the firewall >> > >> > I think it's a great idea and would go a long way towards making >> things >> > more usable. One of the questions is do you do the firewall change on >> > service start/stop or at chkconfig time. And I'm a little bit torn on >> > that one. chkconfig time makes it "simpler" as far as not requiring >> > initscript changes. start/stop seems like it's probably more >> "correct", >> > but would then require initscripts to call a new function on >> start/stop >> >> Why should it be "more correct" to do it at start/stop ? >> It seem more correct to do it at chkconfig, so that even if you stop the >> service and iptables -Lv will show you what is the "normal" firewall >> situation. >> >> Letting services poke holes in the firewall is not something admins will >> really love, if I set a rule to block traffic for a certain service I >> _really_mean it and I don't want to have to change the init scripts or >> have to reapply the rule each time I start/stop a service. > > No, in fact I would hate it with a vengeance. > > If I have an apache server listening for traffic, that doesn't mean I > want people outside my network connecting to it; nor do I want people > connecting to my ssh server. > > Why not just disable the firewall altogether? That would have the effect > you are looking for: all services that are running can accept connections. > I run custom firewall rules. If you can get this idea to play nicely with my custom script, and with Shorewall setups, and with s-c-securitylevel, go for it. But I'm highly sceptical. If installing squid blows up my custom firewall settings, I'm getting out my pitchfork. :) >> >> Simo. >> >> > > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- novus ordo absurdum -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
