Services automaticly change firewall rules to open access to themselfs.

Andrew Bartlett abartlet at samba.org
Thu Aug 23 05:17:30 UTC 2007 

On Mon, 2007-08-20 at 12:54 -0400, Simo Sorce wrote:
> On Mon, 2007-08-20 at 12:40 -0400, Jeremy Katz wrote:
> > On Mon, 2007-08-20 at 16:20 +0000, "Jóhann B. Guðmundsson" wrote:
> > > Any thoughts on implementing  automatically port opening for service 
> > > that need to open port access in the firewall
> > > as in when service is started that needs port opening it would 
> > > automatically read some firewall.conf
> > > file for that and open the port automatically according to those 
> > > settings in the firewall.conf file
> > > ( add the iptables rules automatically when the service is started and 
> > > remove those rules when the service is stopped )
> > > 
> > > Doing chkconfig service or service service start/stop and it would also 
> > > open the port for that service in the firewall
> > 
> > I think it's a great idea and would go a long way towards making things
> > more usable.  One of the questions is do you do the firewall change on
> > service start/stop or at chkconfig time.  And I'm a little bit torn on
> > that one.  chkconfig time makes it "simpler" as far as not requiring
> > initscript changes.  start/stop seems like it's probably more "correct",
> > but would then require initscripts to call a new function on start/stop
> 
> Why should it be "more correct" to do it at start/stop ?
> It seem more correct to do it at chkconfig, so that even if you stop the
> service and iptables -Lv will show you what is the "normal" firewall
> situation.
> 
> Letting services poke holes in the firewall is not something admins will
> really love, if I set a rule to block traffic for a certain service I
> _really_mean it and I don't want to have to change the init scripts or
> have to reapply the rule each time I start/stop a service.

I was just going to file this as a bug, but I wanted to raise it here
first:  NIS doesn't work with the default fedora firewall.  If I turn
off the firewall, NIS starts to behave.

Is this intended (per the 'don't mess with my firewall' thoughts), or a
bug I should file?

(The problem is particularly around broadcast packets, so this might be
more like the Samba netbios name resolution issue we had, till an
iptables module was written). 

Thoughts?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20070823/0bd1f91d/attachment.sig>

More information about the fedora-devel-list mailing list