CAcert System Admins discussion list

[Mario Lipinski <mario AT cacert.org>]

Thanks for pointing this out. It would be interesting if that would work
together with lxc - the firewall is on the host and the containers are
somehow separated from the kernel.

This would indeed solve the problem for package upgrades and installations.
However, another thing on the wishlist were updates through web
applications (like Drupal or Wordpress) or usage of external feeds. This
would still have to be done individually then.

Mario


Am 08.07.2012 03:24, schrieb Wytze van der Raay:
> Op 8-7-2012 0:54, Mario Lipinski schreef:
>> today I received a request to disable outbound packet filtering (for a
>> host) within CAcert infrastructure.
>>
>> While I can fully understand the request and personally have not that
>> much concerns with outgoing traffic, This restrictive filtering has
>> tradition at CAcert.
>>
>> What do you think about allowing all outbound traffic for some or all
>> CAcert infrastructure hosts?
> 
> Instead of fully "opening the gates" (outbound), you could consider
> adding a firewall rule to allow only root to  enjoy this privilege.
> That way a sysadmin will require "sudo" to perform outbound network
> operations exceeding the normal firewall rules. Usually this is to
> install software, which requires sudo privileges anyway, so no extra
> burden is introduced.
> In iptables language you can do this with something like:
> 
>       iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
> 
> Regards,
> -- wytze
> 



-- 
Mit freundlichen Grüßen / Best regards

Mario Lipinski
Infrastructure Team Leader,         E-Mail: 
mario AT cacert.org
Organisation Assurer (Germany),     Internet: http://www.cacert.org
Arbitrator / Case Manager
CAcert

Support CAcert: http://www.cacert.org/index.php?id=13
                http://wiki.cacert.org/wiki/HelpingCAcert

Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift