CentOS 5.0 Install

Tue Dec 25 13:24:23 GMT 2007

Hi There,

yes iptables is easy to configure and you should probably firewall your 
boxes on the net (I firewall every machine that faces the net).

However I have to say that SElinux is a PITA and I disable it at the 
earliest possible opportunity.   If you don't have box which people 
don't log into locally, i.e. just a web server, mail server or file 
server the SElinux is more trouble than its worth.

I have certainly never needed it across any of the enterprises I own or 
support/manage.

Generally if I come across a troublesome machine looking to see if it 
has SELinux enabled is the first port of call.

That's not to say it doesn't have its uses, just that I have never found 
them, specifically I think because my users don't get shell access to 
the machines, but primarily because the machines are properly/tightly 
configured from a security perspective to start with.

So in summary, its not really needed in my book.

P.

UxBoD wrote:
> Why disable IPtables ? I always run it and it is not that hard to configure. I think it was on here somebody pointed out http://www.rfxnetworks.com/apf.php and that just works great! Take the time and set it up, and it also provides a better understanding of what is actually running on your server.
>
> Completely agree about SELinux! Yes it is a very good security system, but can be a real PIA ;)
>
> Regards,
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
> ----- Original Message -----
> step 3.: "Julian Field" <MailScanner at ecs.soton.ac.uk>
> To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
> Sent: 24 December 2007 17:33:12 o'clock (GMT) Europe/London
> Subject: Re: CentOS 5.0 Install
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> Stephen Swaney wrote:
>   
>> Phil Udel wrote:
>>     
>>> Has Anyone Had any issues with CentOS 5.0?
>>> I am creating a New Mail Server and thought I would use the new CentOS
>>>  
>>>       
>> CentOS 5 quietly installs some iptables rules that can cause problems 
>> with some gateway email ralated applications. Be sure and check them 
>> after the install and make sure you can live with the new defaults.
>>
>> Also SELinux is configured on by default and you  probably need to 
>> turn it off in the security configuration screen that appears during 
>> the first reboot after installation.
>>     
> Eek, well spotted there, Mr S. I don't run host-based firewalls on 
> anything except Windows boxes, so didn't know that one. The first thing 
> I do is always permanently switch off all services I don't need, 
> including iptables and ip6tables (oh, and selinux).
>
> Jules
>
> - -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.7.0 (Build 1012)
> Comment: Use Thunderbird's Enigmail add-on to verify this message
> Charset: ISO-8859-1
>
> wj8DBQFHb+1ZEfZZRxQVtlQRAsiuAJ4gVk+XNRkpBDWfV3LD91y/jYVeLACfUMzI
> RyoAJu04p1yVWrV9ucdsqjY=
> =X7cN
> -----END PGP SIGNATURE-----
>
>   