[CentOS] firewall?

Sat Jul 16 20:38:27 UTC 2011
Markus Falb <markus.falb at fasel.at>

On 16.7.2011 19:37, Ljubomir Ljubojevic wrote:
> Markus Falb wrote:
>> On 16.7.2011 19:03, Ljubomir Ljubojevic wrote:
>>
>>> All firewalls (on Linux at least) are by default closed, and you need 
>>> knowledge to punch through the wholes for your public services.
>>
>> This is complete nonsense! You are free to configure a default policy of
>> accept and forbid only selected services.
>>
> 
> Please do not pull sentences out of context. Keith wrote:
> 
>  > Which is why one poster mentioned that you need to be
>  > familiar with IPtables and Networking before trying to make
>  > your machine(s) network(s) secure?
> 
> and I replied in the sense that he only needs to turn his firewall ON to 
> be secure. "by default" means exactly that, I was not writing about you 
> being able to change *default* configuration!
> 
> If you turn firewall ON (in GUI for example, and especially in 
> RHEL/CentOS ), without any allowed service,  your system/network will be 
> protected. If you do allow some services, the rest of the services on 
> your system/network will be protected.

So now you are talking about turning firewall on yourself manually (in
GUI for example) ? Uh, not my definition of default.

Anyway, problem here might be that the term "default" is overloaded. You
were talking of defaults in linux firewalls generally. Now you are
talking about default behaviour of some tools not further specified. I
remember third party tools like shorewall beeing mentioned and there
exist others like fwbuilder and possibly others that you and I never
heard of and possibly with unheard default settings. But you could also
refer to a "default install". With respect to RHEL/CentOS you are
talking about anaconda only then.

With anaconda one can miss to enable firewall easily. On could get hands
on a already installed system. Imagine there is no iptables installed.
How do you activate firewall ? Something like that ?

# yum install iptables
# service iptables start

What have you now ? Nothing. Default policies (finally we have another
meaning of default) with ACCEPT and no rules. One has to do rules
himself. No defaults.

-- 
Kind Regards, Markus Falb

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 307 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20110716/79bd7613/attachment-0005.sig>