Bug 177735

Summary: can't enable firewall within installer
Product: [Fedora] Fedora Reporter: Alexandre Oliva <oliva>
Component: anacondaAssignee: Anaconda Maintenance Team <anaconda-maint-list>
Status: CLOSED WONTFIX QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-13 18:17:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Alexandre Oliva 2006-01-13 16:52:33 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8) Gecko/20060103 Fedora/1.5-4 Firefox/1.5

Description of problem:
I dispute the wisdom of enabling boxes to be installed and booted up before the firewall can be set up in firstboot.  I can see that in some cases this might be what you want, but most often you should boot the box up already secure the first time.

Version-Release number of selected component (if applicable):
FC5T2

How reproducible:
Always

Steps to Reproduce:
1.Install (no question asked about firewall or selinux any more)
2.Boot system up
3.Leave firstboot run unattended


Actual Results:  You have a number of services running without anything to protect them until you get to answer the firstboot prompt.

Expected Results:  Machine should be safe when it first boots up.

Additional info:
Comment 1 Chris Lumens 2006-01-13 18:17:39 UTC 
When anaconda is done, you have SELinux set in enforcing mode and basically all
ports but SSH closed.  I say basically all because CUPS and mDNS are also open,
though you can't close those no matter what you do with the current
implementation of system-config-securitylevel (I have plans to fix that). 
firstboot is really only giving you the opportunity to open more stuff up, as
the defaults are pretty strict now.