Subject: | |
From: | |
Reply To: | |
Date: | Mon, 2 Jan 2017 03:42:14 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On 2017-01-02 01:35, David Sommerseth wrote:
> On 02/01/17 10:24, jdow wrote:
>> On 2017-01-01 14:24, David Sommerseth wrote:
>>> On 01/01/17 01:28, jdow wrote:
>>>>
>>>> Obviously I really do NOT want firewalld to run. This is, apparently,
>>>> usually done using "systemctl mask firewalld". Unfortunately this leaves
>>>> divots all over the logs about systemctl not being able to bring up
>>>> /dev/null er firewalld. That seems "unfriendly" to say the least. (And
>>>> it seems there is no "friendly" way to undo the "systemctl mask"
>>>> command, at least for firewalld.
>>>
>>> # yum erase firewalld
>>> # yum install iptables-services
>>
>> Did the second half. The first half had a large collection of
>> dependencies that would be removed as well, little things like
>> "anaconda-core". Erm, that might not be a good thing. I'm not interested
>> in throwing the system into the dark ages. I just want to use some
>> iptables features that it firewalld doesn't seem to be able to approach.
>
> I've discussed several details with the firewalld developers (reasonable
> group of people, btw) and they do acknowledge that firewalld do have
> some challenges, also in regards to logging.
>
> The approach I've recommended have been deployed on two production systems.
>
> Btw, the official documentation provides this guidance:
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables>
I found that page. I've had one indication that keeping firewalld disabled may
be a chore through a reboot. It's on my todo list to solve.
>> But remove Anaconda? EEEEK!
>
> Anaconda is the installer. To be honest, I've never understood why
> anaconda needs to be installed on a final production server. The
> production boxes I have where firewalld is uninstalled also have no
> anaconda installed. And these boxes do get their proper updates through
> yum regardless.
It's not involved with system maintenance past the initial installation? I had
the impression it was intimately involved with the system's overall
configuration including updates. But, I must admit that it's not something I
have dug into in any serious way. Thanks for the suggestion. I'll keep this
option in mind. This is good to know.
{^_^}
|
|
|