[CentOS] PostgreSQL port accessible even though it should be blocked by firewall
Frank Thommen
list.centos at drosera.chThu Nov 1 12:48:37 UTC 2018
- Next message: [CentOS] Video from the CentOS Dojo at CERN now available
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 31/10/18 18:32, Gordon Messmer wrote: > On 10/30/18 8:31 AM, Frank Thommen wrote: >> I am still puzzled that it is possible to circumvent firewalld so >> easily. Basically it means, that firewalld is not to be trusted as >> soon as containers with port forwarding are running on a system. > > It's hard to see this as a security or trust problem. The root user can > modify the firewall, which is provided by the kernel. firewalld is just > a front-end. Adding rules to the kernel's firewall is not > "circumventing" the management front-end. > > You do have to bear in mind that the firewall-cmd output reflects the > *configuration* and not the *state*. When docker adds rules, it > modifies the state, but not the configuration. I see that (=have learned that :-) now, but for me it means, that firewalld-cmd is not to be trusted (even though it is the recommended tool to manage the local firewall). I'll have to go back and try to understand confusing and hard-to-understand iptables output. :-(
- Next message: [CentOS] Video from the CentOS Dojo at CERN now available
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list