Bug 1206490

Summary: [RFE] Backport freeipa-*.xml service from upstream firewalld
Product: Red Hat Enterprise Linux 7 Reporter: Kazuo Moriwaka <kmoriwak>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.1CC: jpopelka, jscotka, pvrabec, todoleza
Target Milestone: rcKeywords: FutureFeature, Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Backport of upstream FreeIPA services: freeipa-ldap, freeipa-ldaps and freeipa-replication Reason: These services have not been available in the RHEL-7 package. The list of ports that need to be opened is long. Result: The FreeIPA ports can now be openend in a simply way by using the service name.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:59:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kazuo Moriwaka 2015-03-27 09:23:17 UTC 
Description of problem:
It would ease the installation of IPA if the IPA required ports were available to firewalld.

Version-Release number of selected component (if applicable):firewalld-0.3.9-11.el7


How reproducible:100%


Steps to Reproduce:
1.firewall-cmd --add-service=freeipa-ldap --permanent
2.
3.

Actual results:
Error

Expected results:
success

Additional info:
Upstream patch to add:

https://github.com/t-woerner/firewalld/commit/410f7540e4dc69fc8602a7057a83ee1f799b043f


Our document:
"Linux Domain Identity Authentication and Policy Guide" have "2.4.5. System Ports" that guide set ports by hand.  This should be replaced by add-service.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/prerequisites.html#prereq-ports

-----------------------------------------------------------
    Run the firewall-cmd command with the --permanent option specified.

    [root@server ~]# firewall-cmd --permanent --zone=public --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}

    Reload the firewall-cmd configuration to ensure that the change takes place immediately.

    [root@server ~]# firewall-cmd --reload
-----------------------------------------------------------
Comment 4 errata-xmlrpc 2015-11-19 12:59:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2422.html