[Mageia-sysadm] Installing firewall

Sat Nov 13 00:04:35 CET 2010

Le vendredi 12 novembre 2010 à 23:05 +0100, Olivier Thauvin a écrit :
+> * nicolas vigier (boklm at mars-attacks.org) wrote:
+> > Hello,
+> > 
+> > The Mageia packages repository will be stored on valstar. As the
+> > repository will be needed on build nodes, it will have to be either
+> > mirrored or mounted via nfs (readonly). If we use nfs, I think we should
+> > first setup a firewall before installing the nfs server. A firewall
+> > would also be useful to filter connections to the pgsql/mysql servers,
+> > to the build nodes, etc ...
+> > 
+> > I suggest using shorewall to manage the firewall configuration. Any
+> > comment about this ?
+> 
+> I saw you mostly wrote the shorewall, however, I don't like myself
+> shroewall. Shorewall is nothing more than a set of scripts over iptables
+> and I think it add a useless complexity over this last one.
+> 
+> I widelly prefer to use directly iptables. I believe we are experienced
+> enough to write iptables rules ourself.
+> 
+> > 
+> > I plan to write a shorewall module in puppet, test it on jonund first,
+> > without installing shorewall (only writting the config files), then
+> > install shorewall on jonund, and if we didn't lose access to jonund
+> > install it on other nodes.
+> 
+> Playing with firewall on computer we can access only by network, woot !
+
+It's safe to play with a remote firewall ... as long as you don't forget
+to add a cron job to disable the firewall in case of trouble :) Even if
+there is something wrong with the configuration, downtime will be just a
+few minutes.
+There is also the tmux (screen) solution: create a new window, sleep XX
+&& disable firewall. But I don't think tmux is shipped by default.
+
+My 10 KRW,
+
+Eric
+
+> I think access control can be done w/o using iptables.
+> 
+> My 2 cents.
+> 
+> > 
+> > Nicolas
+
+
+
+