On 02/01/17 10:24, jdow wrote:
> On 2017-01-01 14:24, David Sommerseth wrote:
>> On 01/01/17 01:28, jdow wrote:
>>>
>>> Obviously I really do NOT want firewalld to run. This is, apparently,
>>> usually done using "systemctl mask firewalld". Unfortunately this leaves
>>> divots all over the logs about systemctl not being able to bring up
>>> /dev/null er firewalld. That seems "unfriendly" to say the least. (And
>>> it seems there is no "friendly" way to undo the "systemctl mask"
>>> command, at least for firewalld.
>>
>> # yum erase firewalld
>> # yum install iptables-services
> 
> Did the second half. The first half had a large collection of
> dependencies that would be removed as well, little things like
> "anaconda-core". Erm, that might not be a good thing. I'm not interested
> in throwing the system into the dark ages. I just want to use some
> iptables features that it firewalld doesn't seem to be able to approach.

I've discussed several details with the firewalld developers (reasonable
group of people, btw) and they do acknowledge that firewalld do have
some challenges, also in regards to logging.

The approach I've recommended have been deployed on two production systems.

Btw, the official documentation provides this guidance:
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables>

> But remove Anaconda? EEEEK!

Anaconda is the installer.  To be honest, I've never understood why
anaconda needs to be installed on a final production server.  The
production boxes I have where firewalld is uninstalled also have no
anaconda installed.  And these boxes do get their proper updates through
yum regardless.


-- 
kind regards,

David Sommerseth