[LON-CAPA-dev] firewall question (a monthly periodical?)

Guy Albertelli II lon-capa-dev@mail.lon-capa.org
Mon, 23 Sep 2002 02:47:14 -0400 (EDT)


Hi Scott,

> http://help.loncapa.org/cgi-bin/fom?file=210
> 
> Pending question:
> 
> Firewall - other than possibly interfering with needed internet ports,
> will iptables significantly slow up LON-CAPA network connectivity?
> 

> I have had really good experiences with iptables (ipchains on the
> other hand is abominable and almost deprecated).  But I'm not sure
> if it would be CPU-expensive, or bottlenecks the network connection
> during server peak usage points.

It supposedly has little impact on performance. I can't find any
extensive testing, but the small tests I have found seem to indicate
that it is fairly light weight.

> Should we make iptables part of the default installation?

RedHat 7.3 does, and it mainly gets it wrong.

I don't think we will gain muc by doing this, I think it better just
to require as few services as possible and to lock these down as tight
as possible.


> So long as its correctly configured, it can only make security
> better as well as keeping track of which network ports
> really are needed.

But will cause even more headaches as users get it wrong.

Additionally I'd like to continue to reduce the amount of control we
exercise over the machine.

I like that we have stopped trying to configure appletalk, etc, and
now add ourselves to Apache rather than try to own it.
-- 
guy@albertelli.com          BM: n^20 t20 z20 qS 
Guy Albertelli -7-8-2-  O-
    I would love to but . . . I'm in training to be a household pest.