Bug 1120296

Summary: Fedora Server firewall configuration incorrect
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dennis, jpopelka, mitr, notting, robatino, twoerner
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: AcceptedBlocker
Fixed In Version: firewalld-0.3.10-3.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-22 09:06:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1117965    
Bug Blocks: 1043119    

Description Adam Williamson 2014-07-16 16:34:08 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=1117965 was proposed as a Fedora 21 Alpha release blocker, but we felt really the blocker is *this* bug, and this one depends on that.

This bug is simply that the Fedora Server firewall configuration as described at https://fedoraproject.org/wiki/Server/Technical_Specification#Firewall and enforced as an Alpha release criterion - https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Firewall_configuration , "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces. The only ports which may be open to incoming traffic are port 22 (ssh), port XX (Cockpit web interface), and any ports associated with server Roles selected during installation. Supported install-time firewall configuration options must work correctly." - must be implemented for Fedora 21 Alpha. As this requires a per-Product configuration mechanism, this bug depends on #1117965 .

Accepted as a blocker at the 2014-07-16 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-07-16/f21-blocker-review.2014-07-16-15.59.log.txt .
Comment 1 Miloslav Trmač 2014-07-21 18:37:33 UTC 
The packaging draft has been approved; isn’t this now up to firewalld packaging, i.e. Thomas?
Comment 2 Stephen Gallagher 2014-07-21 18:55:30 UTC 
The latest builds of firewalld are following the new packaging draft and appear to contain the appropriate firewall defaults. Closing this ticket (please reopen it if any of the defaults are incorrect).
Comment 3 Miloslav Trmač 2014-07-21 19:27:44 UTC 
(In reply to Stephen Gallagher from comment #2)
> The latest builds of firewalld are following the new packaging draft and
> appear to contain the appropriate firewall defaults.
The packaging works (i.e. firewalld-config-server gets installed), but the defaults do not:
> ERROR: Default zone 'FedoraServerpublic' is not valid.  Using 'public'.
Needs s/public//.

(Also, the zone internally calls itself "Public"; it probably shouldn’t.)
Comment 4 Thomas Woerner 2014-07-22 09:06:46 UTC 
Fixed in F21 and rawhide in package firewalld-0.3.10-5 or newer.