Bug 485086

Summary: [RFE] ssh default allowed by kickstart firewall
Product: Red Hat Enterprise Linux 5 Reporter: David L. Parsley <parsley>
Component: anacondaAssignee: Chris Lumens <clumens>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: medium Docs Contact:
Priority: low    
Version: 5.3CC: atodorov, cww, gregswift, jstodola, rmunilla, tao
Target Milestone: rcKeywords: FutureFeature, Reopened, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: anaconda-11.1.2.227-1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 681944 703081 (view as bug list) Environment:
Last Closed: 2011-07-21 06:51:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 577334    
Bug Blocks: 668576, 681944    

Description David L. Parsley 2009-02-11 15:14:30 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5

When I specify "firewall --enabled" in a kickstart file, ssh is allowed even without specifying "firewall --enabled --ssh".

Reproducible: Always

Steps to Reproduce:
Here are the specifics of how I install:
1. Create Vm config file using xen kernel & initrd and this command line:
ksdevice=eth0 vnc vncconnect=XXX headless ip=XXX netmask=255.255.255.0 gateway=XXX dns=XXX ks=http://.../server.cfg
2. server.cfg has "firewall --enabled"
2. Start the VM with xm create -c server
3. Wait for the install to finish
Actual Results:  
ssh is allowed in the firewall; from /etc/sysconfig/iptables:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
 22 -j ACCEPT

Expected Results:  
Allowed nothing through the firewall.
Comment 1 Chris Lumens 2009-02-12 15:56:56 UTC 
Right, this is by design.  The reason being that for a lot of the enterprise customers, the only way to get into the machine after installation is via ssh.  We don't want to lock people out of fresh installs.  This is especially the case on s390 and similarly unusual architectures.  It is perhaps a little unexpected, but we're definitely doing this for a reason.
Comment 2 David L. Parsley 2009-02-12 18:52:34 UTC 
Ok, in that case the firewall kickstart option should have a '--no-ssh' flag, since the '--ssh' flag is really the default anyway.  Can this be made an RFE instead?  Really, documenting the '--ssh' flag qualifies this as a bug, IMHO.
Comment 3 Chris Lumens 2010-05-25 13:57:16 UTC 
If you feel this is important, please raise it through your support representative which will allow us to make room in our schedules for addressing this issue.  Thanks.
Comment 8 Chris Lumens 2011-03-03 16:53:39 UTC 
For my future reference, here's the patch:

--- a/installclass.py
+++ b/installclass.py
@@ -305,13 +305,16 @@ class BaseInstallClass:
     def setSELinux(self, id, sel):
         id.security.setSELinux(sel)
 
-    def setFirewall(self, id, enable = 1, trusts = [], ports = []):
+    def setFirewall(self, id, enable = 1, trusts = [], ports = [], disableSsh = False):
        id.firewall.enabled = enable
        id.firewall.trustdevs = trusts
 
        for port in ports:
            id.firewall.portlist.append (port)
-        
+
+        if disableSsh:
+            id.firewall.portlist.remove("22:tcp")
+
     def setMiscXSettings(self, id, depth = None, resolution = None,
                          desktop = None, runlevel = None):
 
diff --git a/kickstart.py b/kickstart.py
index 46c6c1f..5f40e61 100644
--- a/kickstart.py
+++ b/kickstart.py
@@ -197,7 +197,7 @@ class AnacondaKSHandlers(KickstartHandlers):
         KickstartHandlers.doFirewall(self, args)
         dict = self.ksdata.firewall
        self.id.instClass.setFirewall(self.id, dict["enabled"], dict["trusts"],
-                                      dict["ports"])
+                                      dict["ports"], disableSsh=dict["disableSsh"])
 
     def doFirstboot(self, args):
         KickstartHandlers.doFirstboot(self, args)
Comment 12 Alexander Todorov 2011-05-09 08:48:27 UTC 
Tested with pykickstart-1.68-1.el5 and anaconda-11.1.2.232-1. My ks.cfg contained:
firewall --enabled --no-ssh

ssh access was not configured in the firewall.
Comment 13 errata-xmlrpc 2011-07-21 06:51:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0984.html