[Mageia-sysadm] Installing firewall

Michael Scherer misc at zarb.org
Mon Nov 15 01:45:34 CET 2010 

Le samedi 13 novembre 2010 à 01:12 +0100, nicolas vigier a écrit :
> On Fri, 12 Nov 2010, Olivier Thauvin wrote:
> 
> > * nicolas vigier (boklm at mars-attacks.org) wrote:
> > > Hello,
> > > 
> > > The Mageia packages repository will be stored on valstar. As the
> > > repository will be needed on build nodes, it will have to be either
> > > mirrored or mounted via nfs (readonly). If we use nfs, I think we should
> > > first setup a firewall before installing the nfs server. A firewall
> > > would also be useful to filter connections to the pgsql/mysql servers,
> > > to the build nodes, etc ...
> > > 
> > > I suggest using shorewall to manage the firewall configuration. Any
> > > comment about this ?
> > 
> > I saw you mostly wrote the shorewall, however, I don't like myself
> > shroewall. Shorewall is nothing more than a set of scripts over iptables
> > and I think it add a useless complexity over this last one.
> > 
> > I widelly prefer to use directly iptables. I believe we are experienced
> > enough to write iptables rules ourself.
> 
> For me, using shorewall is much more simple than writting iptables
> rules directly. I always forget iptables parameters, while shorewall
> rules are very simple. I don't know if managing iptables rules in puppet
> for different hosts would be as simple.

I also prefer iptables, but on the other hand, I can understand people
do not like it. I always found that firewall script lacked some form of
abstractions, and there is usually lots of cut and paste everywhere
( not to mention the use of bash ).

So I would go for shorewall too.

> > 
> > > 
> > > I plan to write a shorewall module in puppet, test it on jonund first,
> > > without installing shorewall (only writting the config files), then
> > > install shorewall on jonund, and if we didn't lose access to jonund
> > > install it on other nodes.
> > 
> > Playing with firewall on computer we can access only by network, woot !
> > 
> > I think access control can be done w/o using iptables.
> 
> Some programs provide access control, but not all, and it is often more
> limited than what you can do with a firewall. It can also be more
> vulnerable in case of security issue in one of the services. So I think
> using a firewall might be better. Especially for build nodes where we
> don't know exactly what services will be installed in the chroot and
> maybe running during the builds.

We can have both. Ie firewall and access control. 

-- 
Michael Scherer

More information about the Mageia-sysadm mailing list