[LON-CAPA-dev] firewall question (a monthly periodical?)

Scott Harrison lon-capa-dev@mail.lon-capa.org
Mon, 23 Sep 2002 11:29:32 -0400


> > Should we make iptables part of the default installation?
> 
> RedHat 7.3 does, and it mainly gets it wrong.

The trick for getting iptables working with RedHat 7.3 is to completely
disable ipchains.  iptables never works even after
/etc/rc.d/init.d/ipchains stop.  The system must boot up without
ever launching ipchains.

The simplest is to:
                      rpm -e ipchains

Then iptables works perfectly in my experience.
(This is consistent with other's experiences on various mailing lists.)

> I don't think we will gain muc by doing this, I think it better just
> to require as few services as possible and to lock these down as tight
> as possible.

Yes.

> > So long as its correctly configured, it can only make security
> > better as well as keeping track of which network ports
> > really are needed.
> 
> But will cause even more headaches as users get it wrong.
> 
> Additionally I'd like to continue to reduce the amount of control we
> exercise over the machine.

Agreed.

I would suggest though, that this should not obliterate the ability for
system admin's to freely collaborate.

In other words, if a LON-CAPA sysadmin wants to set up a firewall,
providing help is not a totally bad thing (there could be a general firewall
recommendation).  However recommendation can never be presented as an
endorsement then...

LON-CAPA could be helpful but decidedly neutral.  Similar to what we
now do with samba and appletalk.

-- 
Scott Harrison, sharrison@users.sourceforge.net