Bug 1182654

Summary: [RFE] Firewall INPUT, FORWARD should be DROP by default.
Product: Red Hat CloudForms Management Engine Reporter: Jared Deubel <jdeubel>
Component: ApplianceAssignee: Joe Rafaniello <jrafanie>
Status: CLOSED ERRATA QA Contact: Pete Savage <psavage>
Severity: high Docs Contact:
Priority: high    
Version: 5.4.0CC: bkozdemb, cbolz, dajohnso, jdeubel, jhardy, jrafanie, jvlcek, kbrock, psavage, snansi, xlecauch
Target Milestone: GAKeywords: FutureFeature
Target Release: 5.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
This version of the CloudForms Management Engine appliance changes the default INPUT and FORWARD firewall rule chains to DROP. This enhancement complies with government security requirements.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-16 12:47:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 2 Pete Savage 2015-02-05 17:13:49 UTC 
In 5.3.3.0.1.20150127115148_446974b, the default is still ACCEPT
Comment 3 Keenan Brock 2015-02-19 22:52:06 UTC 
Can we make this optional?
Drop all is good for security, but is very difficult for getting it up and running. And very difficult to diagnose problems
Comment 9 Dave Johnson 2015-03-20 03:58:45 UTC 
Pete, can you take a stab at this and see what happens.  Thanks.
Comment 13 CFME Bot 2015-04-14 20:57:14 UTC 
New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/999d2ae0743ece4d1bbb6bc1d465fbf21e8097b8

commit 999d2ae0743ece4d1bbb6bc1d465fbf21e8097b8
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Fri Apr 10 21:41:08 2015 -0400
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Fri Apr 10 21:44:42 2015 -0400

    Drop INPUT/FORWARD packets not whitelisted in the firewall setup
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182654
    
    **Before** (cf9f8924d685)
    We accepted all INPUT packets.  We allowed icmp, loopback and whitelisted
    ports we use.  Any other INPUT ports were logged and dropped.
    
    We accepted all FORWARD packets.
    
    **After this commit**
    We drop all INPUT packets by default excluding icmp, loopback,
    and whitelisted ports we use.
    
    We drop all FORWARD packets.
    
    OUTPUT packets have NOT been changed, we accept them.
    [skip ci]

 build/kickstarts/base.ks.erb | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 14 Joe Rafaniello 2015-04-15 13:32:30 UTC 
We moved to building the firewall rules in https://github.com/ManageIQ/manageiq/pull/2562 for https://bugzilla.redhat.com/show_bug.cgi?id=1173216.

In https://github.com/ManageIQ/manageiq/pull/2592, we drop INPUT/FORWARD packets by default in kickstart setup of the firewall.  See that PR for more information.
Comment 16 Joe Rafaniello 2015-04-27 20:40:49 UTC 
I'm renaming the bug because we can't easily change OUTPUT to drop by default without greatly decreasing usability.  This bug will only change INPUT, FORWARD to drop by default.
Comment 18 Pete Savage 2015-06-02 21:33:31 UTC 
This is confirmed in 5.4.0.4

INPUT and FORWARD are DROP by default.
Comment 20 errata-xmlrpc 2015-06-16 12:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1100.html