On 2017-01-02 01:35, David Sommerseth wrote:
On 02/01/17 10:24, jdow wrote:
On 2017-01-01 14:24, David Sommerseth wrote:
On 01/01/17 01:28, jdow wrote:
Obviously I really do NOT want firewalld to run. This is, apparently,
usually done using "systemctl mask firewalld". Unfortunately this leaves
divots all over the logs about systemctl not being able to bring up
/dev/null er firewalld. That seems "unfriendly" to say the least. (And
it seems there is no "friendly" way to undo the "systemctl mask"
command, at least for firewalld.
# yum erase firewalld
# yum install iptables-services
Did the second half. The first half had a large collection of
dependencies that would be removed as well, little things like
"anaconda-core". Erm, that might not be a good thing. I'm not interested
in throwing the system into the dark ages. I just want to use some
iptables features that it firewalld doesn't seem to be able to approach.
I've discussed several details with the firewalld developers (reasonable
group of people, btw) and they do acknowledge that firewalld do have
some challenges, also in regards to logging.
The approach I've recommended have been deployed on two production systems.
Btw, the official documentation provides this guidance:
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Using_iptables>
I found that page. I've had one indication that keeping firewalld disabled may
be a chore through a reboot. It's on my todo list to solve.
But remove Anaconda? EEEEK!
Anaconda is the installer. To be honest, I've never understood why
anaconda needs to be installed on a final production server. The
production boxes I have where firewalld is uninstalled also have no
anaconda installed. And these boxes do get their proper updates through
yum regardless.
It's not involved with system maintenance past the initial installation? I had
the impression it was intimately involved with the system's overall
configuration including updates. But, I must admit that it's not something I
have dug into in any serious way. Thanks for the suggestion. I'll keep this
option in mind. This is good to know.
{^_^}
