[Mageia-sysadm] Installing firewall
Eric Elena
eric.elena at telecom-paristech.org
Sat Nov 13 00:04:35 CET 2010
Le vendredi 12 novembre 2010 à 23:05 +0100, Olivier Thauvin a écrit :
> * nicolas vigier (boklm at mars-attacks.org) wrote:
> > Hello,
> >
> > The Mageia packages repository will be stored on valstar. As the
> > repository will be needed on build nodes, it will have to be either
> > mirrored or mounted via nfs (readonly). If we use nfs, I think we should
> > first setup a firewall before installing the nfs server. A firewall
> > would also be useful to filter connections to the pgsql/mysql servers,
> > to the build nodes, etc ...
> >
> > I suggest using shorewall to manage the firewall configuration. Any
> > comment about this ?
>
> I saw you mostly wrote the shorewall, however, I don't like myself
> shroewall. Shorewall is nothing more than a set of scripts over iptables
> and I think it add a useless complexity over this last one.
>
> I widelly prefer to use directly iptables. I believe we are experienced
> enough to write iptables rules ourself.
>
> >
> > I plan to write a shorewall module in puppet, test it on jonund first,
> > without installing shorewall (only writting the config files), then
> > install shorewall on jonund, and if we didn't lose access to jonund
> > install it on other nodes.
>
> Playing with firewall on computer we can access only by network, woot !
It's safe to play with a remote firewall ... as long as you don't forget
to add a cron job to disable the firewall in case of trouble :) Even if
there is something wrong with the configuration, downtime will be just a
few minutes.
There is also the tmux (screen) solution: create a new window, sleep XX
&& disable firewall. But I don't think tmux is shipped by default.
My 10 KRW,
Eric
> I think access control can be done w/o using iptables.
>
> My 2 cents.
>
> >
> > Nicolas
More information about the Mageia-sysadm
mailing list