Bug 921680
| Summary: | firewall --disabled in kickstart doesn't disable firewall | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Páral <kparal> | ||||
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 19 | CC: | anaconda-maint-list, asaha, dshea, g.kaviyarasu, jonathan, jpopelka, mkolman, ncoghlan, orion, sbueno, twoerner, vanmeeuwen+fedora | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-11-27 14:31:01 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Kamil Páral
2013-03-14 16:18:05 UTC
Created attachment 710112 [details]
iptables output after booting a system with firewall --disabled
The command used by anaconda to disable the firewall does not work. Program log has: 09:21:59,552 INFO program: Running... /usr/bin/firewall-offline-cmd --disabled --service=ssh 09:22:00,719 INFO program: Firewall was disabled, unable to convert to zone. 09:22:00,719 INFO program: No changes to default zone needed. Perhaps the anaconda folks and the firewalld folks can talk to each other and figured out what is needed to make this work. Still present in F19 Beta RC2. Try using services --disabled=firewalld The firewall command controls firewalld, services controls the service. If you think firewall-offline-cmd --disabled should turn off the service open up a bug with firewalld. Brian, http://fedoraproject.org/wiki/Anaconda/Kickstart#firewall says: > -disabled or --disable > Do not configure any iptables rules. But there are hundreds of iptables rules in the installed system. I don't know if they actually do something, or they are zone definitions or whatnot, but they are there. The documentation should probably be adjusted. Reassigning back to firewalld, because we need some information how this is supposed to work. Whether disabled firewall means a disabled service, or a running service that doesn't block anything. From https://fedoraproject.org/wiki/Anaconda/Kickstart#firewall : firewall This option corresponds to the Firewall Configuration screen in the installation program: firewall --enabled|--disabled <device> [options] --disabled or --disable Do not configure any iptables rules. So, I expect that with "firewall --disabled" I end up with a system without an active firewall. Currently, I get an active firewall that only allows some default traffic. (In reply to Brian C. Lane from comment #3) > Try using services --disabled=firewalld > > The firewall command controls firewalld, services controls the service. > > If you think firewall-offline-cmd --disabled should turn off the service > open up a bug with firewalld. I see this on Fedora 19: # firewall-offline-cmd --disabled rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' rm '/etc/systemd/system/basic.target.wants/firewalld.service' ln -s '/dev/null' '/etc/systemd/system/firewalld.service' Opening default zone 'public' which masks the firewalld service. I believe this can be closed as fixed - the fact firewall-offline-command --disabled is currently masking the service as well as disabling it is a separate issue. Fixed in firewalld-0.3.4 and later. |