Mailinglist Archive: opensuse-factory (1324 mails)

< Previous Next >
Re: [opensuse-factory] Re: leap42 - minimum server pattern has become too minimum
Hello Dominique and all,

On 2015-10-24 T 00:32 Dominique Leuenberger / DimStar wrote:

But a firewall is quite an important part of any
installation really, I would consider an installation,
even if minimal, without a firewall, quite
irresponsible. But selecting it back is easy, and it is
indeed the minimal pattern, which strives to be minimal.
Pulling in full perl would indeed hurt that objective.

Really? Sorry - no: I have NEVER worked in an enterprise
where the firewall was not centralized BEFORE the server
farm... maintaining firewall rules in every single
instance is certain to give you headaches which you do not
need.

Do yourself a favor, get an IDS/IPS and live happily ever
after. THEN we talk about serious implementations with
servers.

SUSE Firewall is nice for what it can do... but installing
/ configuring it on every single VM instance in your
network is mind numbing and means you do your job in a way
to extort money from your employer - and not to do a good
job.

while I do not disagree with your assessment and advice in
general, the challenge is that many companies expect or even
require that on every system a firewall is installed and
active, otherwise the system would not be considered
"compliant".

Now, obviously this is more important to the SUSE Linux
Enterprise world than to the openSUSE universe, yet it
should be considered, as otherwise the use and acceptance of
any "minimal" selection would be unnecessarily limited /
prohibited.

To put this more generally: I suggest to not start from the
view, what can be left out to achieve a minimal selection,
but to agree on the minimum functionality that should be
available, to allow an adminitrator with "average
experience" to successfully start a secure production server
from that "minimal".

In addition, mixing the requirements of a (full)
operating system (either bare metal or as a VM) with the
(even more reduced) needs of an application container
such as Docker, does not necessarily lead to the best
results on either end.

Back to the question of SuSEFirewall2: I wholeheartedly
agree that its dependency on perl leaves room for
improvement, aeh, well, size reduction; however, perl
might be needed anyways. ... Do you know?

So long -
MgE

--
Matthias G. Eckermann - Senior Product Manager SUSE® Linux Enterprise
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
This Thread