[Engine-patches] Change in ovirt-engine[master]: packaging: setup: Added default firewall rules for postgres

Mon, 15 Jul 2013 02:05:30 -0700 

Juan Hernandez has posted comments on this change.

Change subject: packaging: setup: Added default firewall rules for postgres
......................................................................


Patch Set 2: (2 inline comments)

Why does DWH need to allow access to the database from outside the machine? 
Please explain it in the commit message.

....................................................
File packaging/conf/iptables.default.in
Line 7: -A INPUT -i lo -j ACCEPT
Line 8: -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
Line 9: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Line 10: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Line 11: -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5432 
-j ACCEPT
Why do you need ESTABLISHED here? Those packets already mach the rule in line 9.
Line 12: -A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 5432 -j 
ACCEPT
Line 13: @CUSTOM_RULES@
Line 14: #drop all rule
Line 15: -A INPUT -j REJECT --reject-with icmp-host-prohibited


Line 8: -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
Line 9: -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Line 10: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
Line 11: -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 5432 
-j ACCEPT
Line 12: -A OUTPUT -p tcp -m state --state ESTABLISHED -m tcp --sport 5432 -j 
ACCEPT
The policy of the OUTPUT chain is ACCEPT, and we don't have any other rule for 
that chain, so this rule isn't needed.
Line 13: @CUSTOM_RULES@
Line 14: #drop all rule
Line 15: -A INPUT -j REJECT --reject-with icmp-host-prohibited


-- 
To view, visit http://gerrit.ovirt.org/16800
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ie05911e70ac6a93416182116ae04daec95f59ee7
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alex Lourie <alou...@redhat.com>
Gerrit-Reviewer: Alex Lourie <alou...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com>
Gerrit-Reviewer: Moran Goldboim <mgold...@redhat.com>
Gerrit-Reviewer: Ofer Schreiber <oschr...@redhat.com>
Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to