On Tue, 11 Jan 2005 00:04:34 -0800, "tuxxer" <tuxxer@xxxxxxx> said: > > - You might also want to mention the role of the built-in firewall - > > even enabled services like SSH are effectively closed unless the > > administrator alters the default firewall settings. > > I use Firestarter, so this I need to do some playing around with this > before I can speak intelligently about it. It's extremely basic, which is good for simple configurations. I don't know what RH would recommend for routers and more complex setups - I use shorewall. The only quirks with the built-in firewall config that I can think of are a) it automatically allows inbound traffic for mDNS and UDP 631 (CUPS browsing ?), b) The manual install process doesn't expose all of the functionality - trusted interfaces and allowing arbitrary port numbers become post-installation tasks. > > You might want to consider the role of Installation Types here - the > > user can pick an Installation Type and then customise the package groups > > (which ties in with role selection in 1.2). Anaconda essentially > > mandates certain packages, so you don't really get the flexibility that > > you mention. Even using the "Minimal" package group will install > > sendmail, CUPS, SSH and NFS (and mDNS on FC3, I think). > Mentioned. Could probably do more here, so I will look into adding more > detail. I think I really need to do some experimentation, but don't > have the facilities at the moment. FWIW, the relevent sections of the draft Installation Guide are complete. If you can't find relevent information there then feel free to ask. I've installed FC rather a lot already... and have more or less beaten VMWare into submission, so testing configurations is now a bit less onerous too. > > Strictly IMHO, disabling service accounts is often excessive and causes > > a maintenance problem. They can't login locally, and you can easily > > block remote logins (see above). > > Rahul mentioned something along these lines. Does anyone know for sure > if you remove a certain service that the user for that service is > removed as well? I don't remember for sure, but I believe that the user > remains. I believe so too, but haven't checked. Removal definitely leaves the configuration files behind. > > Section 4.2) > > > > "Then, either reboot your system, or issue the command pkill -1 sshd. > > The pkill command will force sshd to re-read it's configuration file. > > This will force users to login as a normal user account and then su to > > root, or utilize sudo." > However, I think that it might be valuable to kill existing connections (assuming that you have multiple > users, which I think I touched on this in the scope and intended > audience). If you have someone "unwanted" logged on while you're making > changes, booting them might be handy. Admittedly, it's unlikely, > however, possible. I think I'll mention both, with a caveat. It might be worth putting something as a general point at the start of the document - warning the reader to try not to allow network connections whilst carrying out lockdown, and advising that config changes will not affect existing connections. > The "general points" are valid, but may require > some "re-engineering" of the doc in its entirety, so I'll save that for > another time when I have a little more time to dedicate to it. I've > commented where I was able to make "quick changes". OK. I'll bear that in mind when I look at it again. Thanks for being a good sport about us bystanders picking holes in your doc. -- Stuart Ellis s.ellis@xxxxxxxxxxxxxx
