Am 15.11.2012 19:37, schrieb Kevin Fenzi: >>> Have you actually _tried_? It's supposed to be as easy as >>> s/iptables/firewall-cmd --direct --passthrough ipv4/ >>> >>> I don't know for a fact whether it is good enough. You seem to >>> have a script that could tell us. >> >> i posted a script realier this day as .txt file with >> masked network details, but it did not go trough list >> moderation AFAIK until now > > Everyone on this list doesn't need a copy of your (lengthy) iptables > script, IMHO. > > Perhaps the two of you could continue this off line and test and report > back to the list?
your argumentation is NOT helpful i can NOT test a iptables.sh replace for a whole INFRASTRUCTURE i can NOT post a unmasked version with ip-addresses and hostnames i can NOT simulate a whole network with around 100 machines even i could do this all, it wozld be VERY difficult to RE-AUDIT the whole configuration and security-layers which are hardly to explain because usually infrastructure and network-segments you want to isolate in both directions is grwoing over years and not there at once and this is why REMOEV iptables.service would cause A LOT of work and auditing while you risk security troubles while you are at working on this for a more or less non existing benfit this is why it would be NOT a good idea to remove "iptables.service" some of this setups are hunderts of kilometers away the "iptables.sh" there is the ROUTER you can not test this remote because if you make a small mistake you have lost the game and the remote network is down and having everywhere lights-out-managment is a nice wish but in reality you do NOT want LOM exposed to the internet, so it is BEHIND this iptables-etups you play around REALLY: there is nothing more i can say to this topic it is not my decision if people drop iptables.service and make a big wasting of ressources and security while doing this all over the world - but people should keep in mind what damage they are doing if acting this way
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
