Re: [CentOS] PostgreSQL port accessible even though it should be blocked by firewall

[Frank Thommen]

On 31/10/18 18:32, Gordon Messmer wrote:

On 10/30/18 8:31 AM, Frank Thommen wrote:
I am still puzzled that it is possible to circumvent firewalld so 
easily.  Basically it means, that firewalld is not to be trusted as 
soon as containers with port forwarding are running on a system. 


It's hard to see this as a security or trust problem.  The root user can 
modify the firewall, which is provided by the kernel. firewalld is just 
a front-end.  Adding rules to the kernel's firewall is not 
"circumventing" the management front-end.


You do have to bear in mind that the firewall-cmd output reflects the 
*configuration* and not the *state*.  When docker adds rules, it 
modifies the state, but not the configuration.


I see that (=have learned that :-) now, but for me it means, that 
firewalld-cmd is not to be trusted (even though it is the recommended 
tool to manage the local firewall).  I'll have to go back and try to 
understand confusing and hard-to-understand iptables output. :-(



___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] Video from the CentOS Dojo at CERN now available

[Rich Bowen]

The videos from the recent #CentOSDojo at #CERN are now available on the
CentOS YouTube channel. If you have time for only one, be sure to watch
the first video, which talks about the challenges that CERN has with the
enormous amount of data they produce every day in the LHC.

Also recommended, Fabian's discussion of the coming (and already in
place!) changes to the CentOS Git infrastructure.

https://www.youtube.com/watch?v=fs8knVCqEj4&list=PLuRtbOXpVDjBVqThWSByt1ZdJV9F9LYlL

-- 
Rich Bowen - rbo...@redhat.com
@CentOSProject // @rbowen
859 351 9166
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos