RE: Firewalling vs AllowConnectionsFrom

[Martin, Jason H]

If you are willing to configure iptables then there isn't really a need
to also configure the permissions it at the cfservd level.  You can
configure the firewall rules to log rejected connections as well. You
are correct that doing so saves forking a cfservd to handle the
connection.

-Jason Martin

> -----Original Message-----
> From: 
> help-cfengine-bounces+jason.h.martin=cingular.com@gnu.org 
> [mailto:help-cfengine-bounces+jason.h.martin=cingular.com@gnu.
> org] On Behalf Of Marco van Beek
> Sent: Wednesday, October 26, 2005 9:00 AM
> To: help-cfengine@gnu.org
> Subject: Firewalling vs AllowConnectionsFrom
> 
> 
> Hi,
> 
> Bit of a conceptual question:
> 
> We are running the cfengine policyhost on a box that is also running 
> Shorewall (an IP tables based firewall). At the moment Shorewall is 
> configured to allow all connections to port 5308, and 
> cfservd.conf has a 
> list of valid connections in AllowConnectionsFrom.
> 
> I don't particularly want to have to maintain two lists of valid IP 
> addresses, and at this point I am not sure I can come up with 
> a format 
> that both systems are happy with as a list.
> 
> The only two issues I can come up with is that if the policyhost is 
> controlling the connections, it will report the failed connections, 
> which might make it easier, but secondly, if I use a common list in 
> Shorewall, I can use it for other ports (eg ssh) as well.
> 
> I guess using the firewall will be more secure, and there may be a 
> performance benefit as cfengine isn't having to fork a new process to 
> check every connection.
> 
> Is there anyone out there who has faced the same situation?
> 
> Regards,
> 
> Marco van Beek
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> Help-cfengine@gnu.org 
> http://lists.gnu.org/mailman/listinfo/help-> cfengine
>