----- Original Message ----- > From: "Shawn Wells" <[email protected]> > To: [email protected] > Sent: Tuesday, October 7, 2014 11:48:36 PM > Subject: Re: (RHEL7) IPTables vs FirewallD > > On 10/7/14, 12:46 PM, Trevor Vaughan wrote: > > Interesting, thanks for getting back to me on this. > > > > I'm unfortunately not finding it now and perhaps it was just some > > future plans on the Fedora writeups for having various services be > > authorized to open holes in the firewall. > > You're not crazy. I remember this messaging too.
Got any pointers (read as exact message form) we could investigate further? > > > I still think that it's going to be amazingly difficult to verify > > automatically that you have a reasonably sane firewall configuration > > with FirewallD. > > > > Would it go something like: > > > > - Remove all default zones + make permanent > > - Insert trusted zone + make permanent > > - Add rules using whatever syntax-fu is appropriate + make permanent > > - Check (?) for validation where ? is one of: iptables-save, XML > > files, something else... > > Extending the "take system defaults," while firewalld adds complication, > the fact that it's system default means firewalld will be written into > RHCE exams (and thus what people are trained on). Not writing guidance > against it would be going against the grain. > > As porting towards RHEL7 continues we can utilize the OVAL "criteria > operators".... if iptables check X; if firewalld check Y... akin to the > PAM checks: > https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/oval/accounts_password_pam_retry.xml#L13#L22 > > Perhaps the first cut will inherit/update IPTables, then add in criteria > operators for firewalld in the second pass. +1. Yeah, that's the plan. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Technologies Team > -- > SCAP Security Guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > https://github.com/OpenSCAP/scap-security-guide/ -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
