Hello Dominique and all, On 2015-10-24 T 00:32 Dominique Leuenberger / DimStar wrote:
But a firewall is quite an important part of any installation really, I would consider an installation, even if minimal, without a firewall, quite irresponsible. But selecting it back is easy, and it is indeed the minimal pattern, which strives to be minimal. Pulling in full perl would indeed hurt that objective.
Really? Sorry - no: I have NEVER worked in an enterprise where the firewall was not centralized BEFORE the server farm... maintaining firewall rules in every single instance is certain to give you headaches which you do not need.
Do yourself a favor, get an IDS/IPS and live happily ever after. THEN we talk about serious implementations with servers.
SUSE Firewall is nice for what it can do... but installing / configuring it on every single VM instance in your network is mind numbing and means you do your job in a way to extort money from your employer - and not to do a good job.
while I do not disagree with your assessment and advice in general, the challenge is that many companies expect or even require that on every system a firewall is installed and active, otherwise the system would not be considered "compliant". Now, obviously this is more important to the SUSE Linux Enterprise world than to the openSUSE universe, yet it should be considered, as otherwise the use and acceptance of any "minimal" selection would be unnecessarily limited / prohibited. To put this more generally: I suggest to not start from the view, what can be left out to achieve a minimal selection, but to agree on the minimum functionality that should be available, to allow an adminitrator with "average experience" to successfully start a secure production server from that "minimal". In addition, mixing the requirements of a (full) operating system (either bare metal or as a VM) with the (even more reduced) needs of an application container such as Docker, does not necessarily lead to the best results on either end. Back to the question of SuSEFirewall2: I wholeheartedly agree that its dependency on perl leaves room for improvement, aeh, well, size reduction; however, perl might be needed anyways. ... Do you know? So long - MgE -- Matthias G. Eckermann - Senior Product Manager SUSE® Linux Enterprise SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org