[LON-CAPA-dev] firewall question (a monthly periodical?)

Martin Siegert lon-capa-dev@mail.lon-capa.org
Mon, 23 Sep 2002 12:08:10 -0700 

Hi Guy, Scott,

On Mon, Sep 23, 2002 at 02:47:14AM -0400, Guy Albertelli II wrote:
> Hi Scott,
> 
> > http://help.loncapa.org/cgi-bin/fom?file=210
> > 
> > Pending question:
> > 
> > Firewall - other than possibly interfering with needed internet ports,
> > will iptables significantly slow up LON-CAPA network connectivity?
> > 
> 
> > I have had really good experiences with iptables (ipchains on the
> > other hand is abominable and almost deprecated).  But I'm not sure
> > if it would be CPU-expensive, or bottlenecks the network connection
> > during server peak usage points.
> 
> It supposedly has little impact on performance. I can't find any
> extensive testing, but the small tests I have found seem to indicate
> that it is fairly light weight.
> 
> > Should we make iptables part of the default installation?
> 
> RedHat 7.3 does, and it mainly gets it wrong.
> 
> I don't think we will gain muc by doing this, I think it better just
> to require as few services as possible and to lock these down as tight
> as possible.
> 
> 
> > So long as its correctly configured, it can only make security
> > better as well as keeping track of which network ports
> > really are needed.
> 
> But will cause even more headaches as users get it wrong.
> 
> Additionally I'd like to continue to reduce the amount of control we
> exercise over the machine.
> 
> I like that we have stopped trying to configure appletalk, etc, and
> now add ourselves to Apache rather than try to own it.

I second this. LON-CAPA should use standard packages instead of its own
version of standard packages. It also should not try to overwrite
configuration files, etc., of other packages or change settings of
other services (still with the latest version a LON-CAPA update screws
up ntp on dalton.chem.sfu.ca every time). If you wish to help sysadmins
with the configuration of iptables, ntp, etc., then include example
configuration files instead of overwriting existing settings.

> -- 
> guy@albertelli.com          BM: n^20 t20 z20 qS 
> Guy Albertelli -7-8-2-  O-
>     I would love to but . . . I'm in training to be a household pest.
> _______________________________________________
> LON-CAPA-dev mailing list
> LON-CAPA-dev@mail.lon-capa.org
> http://mail.lon-capa.org/mailman/listinfo/lon-capa-dev

Cheers,
Martin