[Freeipa-users] firewalld management

Dmitri Pal dpal at redhat.com
Fri Jan 2 19:07:47 UTC 2015 

On 01/01/2015 07:49 PM, Rob Crittenden wrote:
> Andrew Holway wrote:
>> This would perhaps be a very interesting addition to the HBAC stuff.
>> We're considering deploying freeipa on EC2 and LDAP backed firewalld
>> would be a very powerful tool for a geographically distributed system.
> There is an existing open ticket for this request,
> https://fedorahosted.org/freeipa/ticket/2110
>
> A user contributed an initial design was contributed a few months ago,
> http://www.freeipa.org/page/V4/Firewall_Configuration
>
> Definitely a desirable feature, just a matter of scheduling it.

It seems that the use cases a bit different.
The ticket talks about the IPA server firewall configuration.
The thread seems to talk about the clients. I do not think we have a 
ticket for that.
The question seems to be: is IPA the right place to store and manage 
firewall rules centrally?
How would they be enforced?
Is it a one time configuration at the client installation or real time 
enforcement of the specific configuration via SSSD or something else?
We start to bridge into SCAP area. Is this the right direction to go?
I have doubts...

Comments welcome!

>
> rob
>
>>
>> On 31 December 2014 at 16:56, Jorick Astrego <j.astrego at netbulae.eu
>> <mailto:j.astrego at netbulae.eu>> wrote:
>>
>>      Hi,
>>
>>      FreeIPA is great! One thing I'm missing though is management of
>>      firewalld services and ports.
>>
>>      Is that something that would fit in FreeIPA?
>>
>>      Currently we are using puppet scripts through katello/the foreman, but
>>      as this is very error prone we'd like to have it centrally managed a
>>      different way.
>>
>>      The firewall rules are very essential IMHO and I thought the whole
>>      point
>>      of firewalld is to have make it more manageable...
>>
>>      I already asked the katello guys but they don't appear very interested
>>      in implementing something there, then I started thinking it would maybe
>>      fit a lot better in freeIPA as it has more overlap with the other
>>      network/authentication stuff.
>>
>>      It would be wasteful to have another project just for firewalld
>>      management.
>>
>>      Happy new year everybody!
>>
>>      Jorick
>>
>>
>>
>>
>>
>>
>>
>>      **
>>      Met vriendelijke groet, With kind regards,
>>
>>      Jorick Astrego*
>>
>>      Netbulae Virtualization Experts *
>>      ------------------------------------------------------------------------
>>      Tel: 053 20 30 270 	info at netbulae.eu <mailto:info at netbulae.eu>
>>      Staalsteden 4-3A 	KvK 08198180
>>      Fax: 053 20 30 271 	www.netbulae.eu <http://www.netbulae.eu> 	7547
>>      TA Enschede 	BTW NL821234584B01
>>
>>
>>      ------------------------------------------------------------------------
>>
>>
>>      --
>>      Manage your subscription for the Freeipa-users mailing list:
>>      https://www.redhat.com/mailman/listinfo/freeipa-users
>>      Go To http://freeipa.org for more info on the project
>>
>>
>>
>>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list