18:02:58 <randomuser> #startmeeting 18:02:58 <zodbot> Meeting started Thu Aug 28 18:02:58 2014 UTC. The chair is randomuser. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:58 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 18:03:10 <randomuser> #meetingname Fedora Docs Office Hours 18:03:10 <zodbot> The meeting name has been set to 'fedora_docs_office_hours' 18:03:18 <randomuser> #topic Who is here? 18:03:30 * randomuser raises hand 18:03:33 <randomuser> I'm here. 18:03:47 * jsmith lurks 18:03:54 <randomuser> .pingdocs anyone up for office hours today? 18:05:01 <Capesteve> I am here 18:05:22 <Sparks> Oh! Oh! Me! Me! 18:07:55 <randomuser> yay! 18:08:23 <randomuser> Capesteve, Sparks, should we talk about firewalls? 18:09:01 <Capesteve> We can 18:09:23 <randomuser> #topic Firewalls! 18:09:46 <randomuser> Capesteve, you might find the impetus for this interesting 18:10:25 <randomuser> I created a bridge on an el7 system using the std ifcfg method 18:10:43 <randomuser> and found that firewalld blocked traffic between members of the bridge 18:11:45 <Capesteve> and I suppose that was unexpected 18:12:26 <Capesteve> The RHEL7 Security Guide does have a section on rp_filter 18:12:51 <randomuser> I talked to twoerner about it, and the only way we found in a short time that enabled traffic was something like `firewall-cmd --direct --in-interface one --out-interface two` 18:13:27 <randomuser> ( clearly I can't remember the command offhand, but traffic had to be enabled between physdevs each way for each pair ) 18:15:00 * randomuser reads 18:16:32 <randomuser> Thanks, Capesteve, I'll try that when I get back 18:16:41 <Capesteve> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Network_Access.html#sec-Disabling_Source_Routing 18:17:03 <Capesteve> See section "Disabling Source Routing" 18:17:33 <Capesteve> that would stop you routing out of a different interface 18:18:17 <Capesteve> e.g. when trying to do some kind of, whats the word, not exactly link aggregation, 18:18:27 <randomuser> Fedora has spoiled me wrt sysctl tweaks, I don't have to do much there 18:19:36 <Capesteve> using two Internet connections, or using a server as a route, that would not be allowed by default in RHEL7 18:19:49 <Capesteve> s/route/router/ 18:20:08 <Capesteve> I am not sure if that is your issue, just trying to guess 18:20:46 <randomuser> I'll leave this page up here at home, too - $DAYJOB is a KVM host, but at home I have an el6 router with two WAN links :) 18:20:58 <randomuser> err... el7 18:21:16 <Capesteve> nice 18:22:13 <randomuser> so I'll have to read up on routing too; right now it's just using whatever got declared as the default route 18:22:54 <randomuser> but, back to docs 18:23:18 <randomuser> Capesteve, are you thinking that a small firewall guide is the best idea, or just an acceptable one? 18:25:14 <Capesteve> I think there is no harm in it, divide and concur 18:26:59 * randomuser nods 18:27:10 <Capesteve> having two (or more) smaller guides from the Security Guide means one can be tied to a release and one can be more general advice 18:27:55 <randomuser> yeah, Sparks has been talking about serious restructuring anyway, this could work along those lines 18:28:23 <Capesteve> also, Sparks can pick the one he feels is more his specially or requires his steady hand, and one can be passed to another 18:28:39 <randomuser> I was also thinking, since the material is relatively well covered, it could be a good training/apprentice opportunity 18:29:11 <Capesteve> about two years ago two or more guides were combined 18:29:25 <randomuser> ie specifically adding ACLs on the git repo for people not in docs-writers that volunteer 18:30:22 <Capesteve> that should probably be the place to look where to take your little hammer and chisel 18:31:41 * randomuser sighs 18:32:13 <randomuser> to think about how much effort has gone into merging and splitting guides without changing the content... 18:34:55 <randomuser> Sparks, nothing to add? 18:35:17 <Capesteve> as I was new at the time I was reluctant to make a fuss 18:36:47 <randomuser> psh. this is old hat for you, no reason to keep your experience to yourself just because people don't know about it yet 18:37:22 <Capesteve> I was not experienced in these matters at the time 18:37:52 <Sparks> randomuser: Sorry, I was else where... 18:37:52 <randomuser> ah 18:37:55 * Sparks reads up 18:38:13 <Capesteve> j hradilek is far more experienced in the art of docs 18:38:58 <randomuser> Capesteve, you did bring up some good points, though; we don't do any favors by creating something that can't be used in RHEL guides from something that can 18:39:22 <Sparks> randomuser: Yes, a security "text book" and a how-to book... 18:40:07 <randomuser> Sparks, you should get that story about the guy who locked down his server config then left the black hats in the room unattended 18:40:20 <randomuser> s/$/ in there./ 18:40:35 <Sparks> heh 18:40:51 <Capesteve> randomuser: so thats why its best to split things, make some things more target to Fedora users and leave some stuff as essentially clones or mirrors of RHEL guides 18:42:04 * randomuser nods 18:42:55 <randomuser> Capesteve, or preferably, the upstream source for RHEL8 guides 18:43:24 <randomuser> a little departure in the right direction can be good 18:43:40 * randomuser has to migrate, brb 18:44:56 <Capesteve> randomuser: I have done some chapters in Fedora before RHEL. e.g. ntp, chrony, ptp. 18:45:22 <Capesteve> randomuser: and would do more as time allows 18:46:14 <Capesteve> but there have been some "things" that were not possible to do due to factors outside my control 18:46:57 <Sparks> Capesteve: The current Fedora Security Guide == RHEL 6 Security Guide 18:47:08 <Sparks> err... current == a few years ago current 18:47:20 <Capesteve> I did not know that sparks 18:47:54 <Capesteve> because I have only ever worked on networking related parts of the Security Guides 18:51:50 <randomuser> sclark, we're talking about starting a new guide just to cover firewalls, want to get in on it? 18:53:11 <Sparks> Capesteve: Yeah, we pulled the RHEL guide in with the Fedora guide before RHEL6. The RHEL guide was more of a text book where the Fedora guide was more of a how-to. 18:53:28 <Sparks> That's one of the reasons the guide doesn't flow well. 18:54:03 <Capesteve> Sparks, you could go through all the security guides, their ToC, and draw up a list of what you do want to maintain, what you do not want to maintain, and what you have no strong feelings about, then it should be easier to decide how to divide up the guide, and the work 18:54:58 <sclark> randomuser: Hi. Don't know much about firewalls beyond the basics but willing to learn. 18:55:02 <Capesteve> its easier to divide the guide and share some of the work then spend time rewriting something to make it fit together 18:57:35 <Sparks> Capesteve: Yeah, I can do that. 18:58:01 <Sparks> Capesteve: I'm seriously thinking about breaking all the hardening stuff into their own guides/articles. 18:59:57 <randomuser> sclark, a lot of the content is already on the wiki or in the Security guide, some in other guides; it would be markup, organization, etc. You'd learn along the way :) 19:02:21 <sclark> randomuser: I'd be happy to do some of that if someone is setting out the overall direction. 19:03:53 <randomuser> fair enough 19:05:44 <randomuser> i think we're all on the same page so far, so 19:05:56 <randomuser> #agreed Firewall configuration will have a dedicated guide 19:06:17 <randomuser> #link http://fedoraproject.org/wiki/Creating_a_new_guide 19:06:50 <randomuser> #info first step is requesting a new fedorahosted repo 19:07:19 <randomuser> ( if someone files the ticket, I can fill the request later today if it doesn't get done sooner ) 19:07:38 <randomuser> #info content to be moved to the firewall guide should be identified 19:07:54 <randomuser> with bz tickets, maybe? 19:08:27 <Capesteve> use an etherpad with a ToC ? 19:08:52 <Capesteve> I mean, paste the ToCs in an etherpad 19:09:00 <Capesteve> for discussion 19:09:19 <randomuser> good idea 19:10:06 <randomuser> http://piratepad.nl/3ApNpM8Kaw 19:11:14 <randomuser> Does anyone have master versions available to paste from? 19:11:28 <randomuser> I don't, but I can do it from docs.fp.o if not 19:12:16 * sclark has to step out for a few minutes, back soon 19:12:32 <randomuser> this piratepad instance isn't doing well 19:12:49 <Capesteve> give Sparks time to indicate what he whats to keep, what he is willing to give up, etc. 19:13:15 * randomuser goes to try a different pad instance 19:14:27 <randomuser> Please try http://piratepad.net/9kMBB7VZlP 19:16:48 <randomuser> Do we actually want to *name* it the firewall guide? 19:23:09 <randomuser> I'll start by deleting TOC entries that clearly don't belong? 19:29:08 <Capesteve> I was going to suggest holding off on the name till we know what is being split out of the current Fedora Security guide, but it seems like the write name to me 19:32:34 <randomuser> brb 19:35:20 <Capesteve> s/write/right/ 19:35:51 <Capesteve> Firewall Administration Guide ? 19:55:58 <sclark> to be known as the FAG, for short? 19:59:29 * sclark has to go do family stuff (mid-evening here in UK) but reaffirms willingness to help out with this guide. 20:35:01 <Capesteve> g'night 21:17:53 <randomuser> well, that took longer than I expected 21:25:17 <randomuser> Hey Sparks, are you going to take a tilt at that etherpad instance? 21:25:43 <randomuser> it's probably time to wrap up office hours, I don't want to leave that portion half done 00:33:33 <zoglesby> that was a busy office hours 00:33:41 <zoglesby> and it seems to still be going 00:33:50 <zoglesby> yay! I made it today! 01:40:39 <randomuser> well, now that zoglesby showed up... 01:40:43 <randomuser> #endmeeting