[LON-CAPA-dev] firewall question (a monthly periodical?)
Mon, 23 Sep 2002 11:29:32 -0400
> > Should we make iptables part of the default installation?
> RedHat 7.3 does, and it mainly gets it wrong.
The trick for getting iptables working with RedHat 7.3 is to completely
disable ipchains. iptables never works even after
/etc/rc.d/init.d/ipchains stop. The system must boot up without
ever launching ipchains.
The simplest is to:
rpm -e ipchains
Then iptables works perfectly in my experience.
(This is consistent with other's experiences on various mailing lists.)
> I don't think we will gain muc by doing this, I think it better just
> to require as few services as possible and to lock these down as tight
> as possible.
> > So long as its correctly configured, it can only make security
> > better as well as keeping track of which network ports
> > really are needed.
> But will cause even more headaches as users get it wrong.
> Additionally I'd like to continue to reduce the amount of control we
> exercise over the machine.
I would suggest though, that this should not obliterate the ability for
system admin's to freely collaborate.
In other words, if a LON-CAPA sysadmin wants to set up a firewall,
providing help is not a totally bad thing (there could be a general firewall
recommendation). However recommendation can never be presented as an
LON-CAPA could be helpful but decidedly neutral. Similar to what we
now do with samba and appletalk.
Scott Harrison, firstname.lastname@example.org