LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Adventures with 7.2
From:	jdow <[log in to unmask]>
Reply To:	jdow <[log in to unmask]>
Date:	Mon, 2 Jan 2017 03:42:14 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (49 lines)

On 2017-01-02 01:35, David Sommerseth wrote:
> On 02/01/17 10:24, jdow wrote:
>> On 2017-01-01 14:24, David Sommerseth wrote:
>>> On 01/01/17 01:28, jdow wrote:
>>>>
>>>> Obviously I really do NOT want firewalld to run. This is, apparently,
>>>> usually done using "systemctl mask firewalld". Unfortunately this leaves
>>>> divots all over the logs about systemctl not being able to bring up
>>>> /dev/null er firewalld. That seems "unfriendly" to say the least. (And
>>>> it seems there is no "friendly" way to undo the "systemctl mask"
>>>> command, at least for firewalld.
>>>
>>> # yum erase firewalld
>>> # yum install iptables-services
>>
>> Did the second half. The first half had a large collection of
>> dependencies that would be removed as well, little things like
>> "anaconda-core". Erm, that might not be a good thing. I'm not interested
>> in throwing the system into the dark ages. I just want to use some
>> iptables features that it firewalld doesn't seem to be able to approach.
>
> I've discussed several details with the firewalld developers (reasonable
> group of people, btw) and they do acknowledge that firewalld do have
> some challenges, also in regards to logging.
>
> The approach I've recommended have been deployed on two production systems.
>
> Btw, the official documentation provides this guidance:
> <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables>

I found that page. I've had one indication that keeping firewalld disabled may 
be a chore through a reboot. It's on my todo list to solve.

>> But remove Anaconda? EEEEK!
>
> Anaconda is the installer.  To be honest, I've never understood why
> anaconda needs to be installed on a final production server.  The
> production boxes I have where firewalld is uninstalled also have no
> anaconda installed.  And these boxes do get their proper updates through
> yum regardless.

It's not involved with system maintenance past the initial installation? I had 
the impression it was intimately involved with the system's overall 
configuration including updates. But, I must admit that it's not something I 
have dug into in any serious way. Thanks for the suggestion. I'll keep this 
option in mind. This is good to know.

{^_^}

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV