On 10/7/14, 12:46 PM, Trevor Vaughan wrote: > Interesting, thanks for getting back to me on this. > > I'm unfortunately not finding it now and perhaps it was just some > future plans on the Fedora writeups for having various services be > authorized to open holes in the firewall.
You're not crazy. I remember this messaging too. > I still think that it's going to be amazingly difficult to verify > automatically that you have a reasonably sane firewall configuration > with FirewallD. > > Would it go something like: > > - Remove all default zones + make permanent > - Insert trusted zone + make permanent > - Add rules using whatever syntax-fu is appropriate + make permanent > - Check (?) for validation where ? is one of: iptables-save, XML > files, something else... Extending the "take system defaults," while firewalld adds complication, the fact that it's system default means firewalld will be written into RHCE exams (and thus what people are trained on). Not writing guidance against it would be going against the grain. As porting towards RHEL7 continues we can utilize the OVAL "criteria operators".... if iptables check X; if firewalld check Y... akin to the PAM checks: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/accounts_password_pam_retry.xml#L13#L22 Perhaps the first cut will inherit/update IPTables, then add in criteria operators for firewalld in the second pass. -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
