[Mageia-sysadm] Installing firewall
nicolas vigier
boklm at mars-attacks.org
Sat Nov 13 01:12:33 CET 2010
On Fri, 12 Nov 2010, Olivier Thauvin wrote:
> * nicolas vigier (boklm at mars-attacks.org) wrote:
> > Hello,
> >
> > The Mageia packages repository will be stored on valstar. As the
> > repository will be needed on build nodes, it will have to be either
> > mirrored or mounted via nfs (readonly). If we use nfs, I think we should
> > first setup a firewall before installing the nfs server. A firewall
> > would also be useful to filter connections to the pgsql/mysql servers,
> > to the build nodes, etc ...
> >
> > I suggest using shorewall to manage the firewall configuration. Any
> > comment about this ?
>
> I saw you mostly wrote the shorewall, however, I don't like myself
> shroewall. Shorewall is nothing more than a set of scripts over iptables
> and I think it add a useless complexity over this last one.
>
> I widelly prefer to use directly iptables. I believe we are experienced
> enough to write iptables rules ourself.
For me, using shorewall is much more simple than writting iptables
rules directly. I always forget iptables parameters, while shorewall
rules are very simple. I don't know if managing iptables rules in puppet
for different hosts would be as simple.
>
> >
> > I plan to write a shorewall module in puppet, test it on jonund first,
> > without installing shorewall (only writting the config files), then
> > install shorewall on jonund, and if we didn't lose access to jonund
> > install it on other nodes.
>
> Playing with firewall on computer we can access only by network, woot !
>
> I think access control can be done w/o using iptables.
Some programs provide access control, but not all, and it is often more
limited than what you can do with a firewall. It can also be more
vulnerable in case of security issue in one of the services. So I think
using a firewall might be better. Especially for build nodes where we
don't know exactly what services will be installed in the chroot and
maybe running during the builds.
More information about the Mageia-sysadm
mailing list