#fedora-docs log

18:02:58 <randomuser> #startmeeting
18:02:58 <zodbot> Meeting started Thu Aug 28 18:02:58 2014 UTC.  The chair is randomuser. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:58 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
18:03:10 <randomuser> #meetingname Fedora Docs Office Hours
18:03:10 <zodbot> The meeting name has been set to 'fedora_docs_office_hours'
18:03:18 <randomuser> #topic Who is here?
18:03:30 * randomuser raises hand
18:03:33 <randomuser> I'm here.
18:03:47 * jsmith lurks
18:03:54 <randomuser> .pingdocs anyone up for office hours today?
18:05:01 <Capesteve> I am here
18:05:22 <Sparks> Oh!  Oh!  Me!  Me!
18:07:55 <randomuser> yay!
18:08:23 <randomuser> Capesteve, Sparks, should we talk about firewalls?
18:09:01 <Capesteve> We can
18:09:23 <randomuser> #topic Firewalls!
18:09:46 <randomuser> Capesteve, you might find the impetus for this interesting
18:10:25 <randomuser> I created a bridge on an el7 system using the std ifcfg method
18:10:43 <randomuser> and found that firewalld blocked traffic between members of the bridge
18:11:45 <Capesteve> and I suppose that was unexpected
18:12:26 <Capesteve> The RHEL7 Security Guide does have a section on rp_filter
18:12:51 <randomuser> I talked to twoerner about it, and the only way we found in a short time that enabled traffic was something like `firewall-cmd --direct --in-interface one --out-interface two`
18:13:27 <randomuser> ( clearly I can't remember the command offhand, but traffic had to be enabled between physdevs each way for each pair )
18:15:00 * randomuser reads
18:16:32 <randomuser> Thanks, Capesteve, I'll try that when I get back
18:16:41 <Capesteve> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Network_Access.html#sec-Disabling_Source_Routing
18:17:03 <Capesteve> See section "Disabling Source Routing"
18:17:33 <Capesteve> that would stop you routing out of a different interface
18:18:17 <Capesteve> e.g. when trying to do some kind of, whats the word, not exactly link aggregation,
18:18:27 <randomuser> Fedora has spoiled me wrt sysctl tweaks, I don't have to do much there
18:19:36 <Capesteve> using two Internet connections, or using a server as a route, that would not be allowed by default in RHEL7
18:19:49 <Capesteve> s/route/router/
18:20:08 <Capesteve> I am not sure if that is your issue, just trying to guess
18:20:46 <randomuser> I'll leave this page up here at home, too - $DAYJOB is a KVM host, but at home I have an el6 router with two WAN links :)
18:20:58 <randomuser> err... el7
18:21:16 <Capesteve> nice
18:22:13 <randomuser> so I'll have to read up on routing too; right now it's just using whatever got declared as the default route
18:22:54 <randomuser> but, back to docs
18:23:18 <randomuser> Capesteve, are you thinking that a small firewall guide is the best idea, or just an acceptable one?
18:25:14 <Capesteve> I think there is no harm in it, divide and concur
18:26:59 * randomuser nods
18:27:10 <Capesteve> having two (or more) smaller guides from the Security Guide  means one can be tied to a release and one can be more general advice
18:27:55 <randomuser> yeah, Sparks has been talking about serious restructuring anyway, this could work along those lines
18:28:23 <Capesteve> also, Sparks can pick the one he feels is more his specially or requires his steady hand, and one can be passed to another
18:28:39 <randomuser> I was also thinking, since the material is relatively well covered, it could be a good training/apprentice opportunity
18:29:11 <Capesteve> about two years ago two or more guides were combined
18:29:25 <randomuser> ie specifically adding ACLs on the git repo for people not in docs-writers that volunteer
18:30:22 <Capesteve> that should probably be the place to look where to take your little hammer and chisel
18:31:41 * randomuser sighs
18:32:13 <randomuser> to think about how much effort has gone into merging and splitting guides without changing the content...
18:34:55 <randomuser> Sparks, nothing to add?
18:35:17 <Capesteve> as I was new at the time I was reluctant to make a fuss
18:36:47 <randomuser> psh. this is old hat for you, no reason to keep your experience to yourself just because people don't know about it yet
18:37:22 <Capesteve> I was not experienced in these matters at the time
18:37:52 <Sparks> randomuser: Sorry, I was else where...
18:37:52 <randomuser> ah
18:37:55 * Sparks reads up
18:38:13 <Capesteve> j hradilek is far more experienced in the art of docs
18:38:58 <randomuser> Capesteve, you did bring up some good points, though; we don't do any favors by creating something that can't be used in RHEL guides from something that can
18:39:22 <Sparks> randomuser: Yes, a security "text book" and a how-to book...
18:40:07 <randomuser> Sparks, you should get that story about the guy who locked down his server config then left the black hats in the room unattended
18:40:20 <randomuser> s/$/ in there./
18:40:35 <Sparks> heh
18:40:51 <Capesteve> randomuser: so thats why its best to split things, make some things more target to Fedora users and leave some stuff as essentially clones or mirrors of RHEL guides
18:42:04 * randomuser nods
18:42:55 <randomuser> Capesteve, or preferably, the upstream source for RHEL8 guides
18:43:24 <randomuser> a little departure in the right direction can be good
18:43:40 * randomuser has to migrate, brb
18:44:56 <Capesteve> randomuser: I have done some chapters in Fedora before RHEL. e.g. ntp, chrony, ptp.
18:45:22 <Capesteve> randomuser: and would do more as time allows
18:46:14 <Capesteve> but there have been some "things" that were not possible to do due to factors outside my control
18:46:57 <Sparks> Capesteve: The current Fedora Security Guide == RHEL 6 Security Guide
18:47:08 <Sparks> err...  current == a few years ago current
18:47:20 <Capesteve> I did not know that sparks
18:47:54 <Capesteve> because I have only ever worked on networking related parts of the Security Guides
18:51:50 <randomuser> sclark, we're talking about starting a new guide just to cover firewalls, want to get in on it?
18:53:11 <Sparks> Capesteve: Yeah, we pulled the RHEL guide in with the Fedora guide before RHEL6.  The RHEL guide was more of a text book where the Fedora guide was more of a how-to.
18:53:28 <Sparks> That's one of the reasons the guide doesn't flow well.
18:54:03 <Capesteve> Sparks, you could go through all the security guides, their ToC, and draw up a list of what you do want to maintain, what you do not want to maintain, and what you have no strong feelings about, then it should be easier to decide how to divide up the guide, and the work
18:54:58 <sclark> randomuser: Hi. Don't know much about firewalls beyond the basics but willing to learn.
18:55:02 <Capesteve> its easier to divide the guide and share some of the work then spend time rewriting something to make it fit together
18:57:35 <Sparks> Capesteve: Yeah, I can do that.
18:58:01 <Sparks> Capesteve: I'm seriously thinking about breaking all the hardening stuff into their own guides/articles.
18:59:57 <randomuser> sclark, a lot of the content is already on the wiki or in the Security guide, some in other guides; it would be markup, organization, etc. You'd learn along the way :)
19:02:21 <sclark> randomuser: I'd be happy to do some of that if someone is setting out the overall direction.
19:03:53 <randomuser> fair enough
19:05:44 <randomuser> i think we're all on the same page so far, so
19:05:56 <randomuser> #agreed Firewall configuration will have a dedicated guide
19:06:17 <randomuser> #link http://fedoraproject.org/wiki/Creating_a_new_guide
19:06:50 <randomuser> #info first step is requesting a new fedorahosted repo
19:07:19 <randomuser> ( if someone files the ticket, I can fill the request later today if it doesn't get done sooner )
19:07:38 <randomuser> #info content to be moved to the firewall guide should be identified
19:07:54 <randomuser> with bz tickets, maybe?
19:08:27 <Capesteve> use an etherpad with a ToC ?
19:08:52 <Capesteve> I mean, paste the ToCs in an etherpad
19:09:00 <Capesteve> for discussion
19:09:19 <randomuser> good idea
19:10:06 <randomuser> http://piratepad.nl/3ApNpM8Kaw
19:11:14 <randomuser> Does anyone have master versions available to paste from?
19:11:28 <randomuser> I don't, but I can do it from docs.fp.o if not
19:12:16 * sclark has to step out for a few minutes, back soon
19:12:32 <randomuser> this piratepad instance isn't doing well
19:12:49 <Capesteve> give Sparks time to indicate what he whats to keep, what he is willing to give up, etc.
19:13:15 * randomuser goes to try a different pad instance
19:14:27 <randomuser> Please try http://piratepad.net/9kMBB7VZlP
19:16:48 <randomuser> Do we actually want to *name* it the firewall guide?
19:23:09 <randomuser> I'll start by deleting TOC entries that clearly don't belong?
19:29:08 <Capesteve> I was going to suggest holding off on the name till we know what is being split out of the current Fedora Security guide, but it seems like the write name to me
19:32:34 <randomuser> brb
19:35:20 <Capesteve> s/write/right/
19:35:51 <Capesteve> Firewall Administration Guide ?
19:55:58 <sclark> to be known as the FAG, for short?
19:59:29 * sclark has to go do family stuff (mid-evening here in UK) but reaffirms willingness to help out with this guide.
20:35:01 <Capesteve> g'night
21:17:53 <randomuser> well, that took longer than I expected
21:25:17 <randomuser> Hey Sparks, are you going to take a tilt at that etherpad instance?
21:25:43 <randomuser> it's probably time to wrap up office hours, I don't want to leave that portion half done
00:33:33 <zoglesby> that was a busy office hours
00:33:41 <zoglesby> and it seems to still be going
00:33:50 <zoglesby> yay! I made it today!
01:40:39 <randomuser> well, now that zoglesby showed up...
01:40:43 <randomuser> #endmeeting