Bug 105994 - wrong ports chosen for security configuration
wrong ports chosen for security configuration
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
Mike McLean
:
: 105998 107214 107220 107240 107301 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-10-01 17:05 EDT by John Reiser
Modified: 2007-11-30 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-24 08:15:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
/etc/sysconfig/iptables (605 bytes, text/plain)
2003-10-01 17:07 EDT, John Reiser
no flags Details
/etc/sysconfig/iptables after adding SSH (684 bytes, text/plain)
2003-10-02 00:33 EDT, John Reiser
no flags Details

  None (edit)
Description John Reiser 2003-10-01 17:05:39 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703

Description of problem:
In the "security configuration" dialog during CD-ROM installation with "Update
Image Version 1.0" of anaconda [README Sep 29 13:21], I checked only the box for
SSH.  ("Enable firewall" was already checked.)  So, I was expecting port 22 to
be open.  However, port 22 was not open (ssh from another machine could not
reach the new install), and instead ports 50 and 51 (remote mail check) were
open.  So the list of check boxes in the dialog does not line up with the list
of ports in the script.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. New install Fedora Core Test2.
2. Check only SSH on the security configuration "firewall" page.  (Leave 
"firewall enabled" on.)
3. Inspect /etc/sysconfig/iptables when installation finishes.
    

Actual Results:  /etc/sysconfig/iptables does not have port 22 open, so SSH does
not see any requests from the network.  Also, ports 50 and 51 _are_ open.

Expected Results:  Port 22 should be open for SSH.  Ports 50 and 51 should not
be open.

Additional info:
Comment 1 John Reiser 2003-10-01 17:07:38 EDT
Created attachment 94850 [details]
/etc/sysconfig/iptables

has ports 50 and 51 (remote mail check) open, instead of the requested port 22
(SSH).
Comment 2 Bill Nottingham 2003-10-01 18:18:56 EDT
That's not ports 50 and 51, it's *protocols* 50 and 51 (IPSEC).
Comment 3 John Reiser 2003-10-01 19:05:59 EDT
OK, "50" and "51" may refer to IPSEC, and perhaps that is supposed to enable ssh
to work, but the firewall still prevents ssh from receiving requests from the
network:
-----
$ ssh 192.168.0.5  # machine running RedHat 9 tries to access the new Fedora
Core Test2 install
ssh: connect to host 192.168.0.5 port 22: No route to host
-----

Now, add the line
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
to the Fedora /etc/sysconfig/iptables, also /sbin/service iptables restart,
and then the RH9 machine can ssh to the Fedora machine.

So, the default is that SSH connectivity is broken from RH9 to Fedora Test2,
even when SSH is enabled in the firewall configuration dialog of a Fedora Test2
install.

This was working in Severn Beta1, and the regression is disappointing.  This
does not appear to be an instance of the UTF-8 problem that is mentioned in the
Release Notes for Fedora Core Test2.
Comment 4 John Reiser 2003-10-02 00:32:00 EDT
After install, redhat-config-securtitylevel is inconsistent with the choice made
during anaconda install.  I run RedHat > System Settings > Security Level, and
see that "Enable firewall" is pre-chosen, but no service is Trusted; during
install I had picked SSH.

Checking SSH, clicking OK, and acknowledging the warning about erasing all
previous settings, gives an /etc/sysconfig/iptables that contains [I will attach
the full file]
-----
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-----
That was from  redhat-config-securitylevel-1.2.8-2 .

So, the anaconda dialog and the -config application are not in sync, either.
Comment 5 John Reiser 2003-10-02 00:33:55 EDT
Created attachment 94868 [details]
/etc/sysconfig/iptables after adding SSH

using redhat-config-securitylevel-1.2.8-2
Comment 6 Brent Fox 2003-10-15 14:25:21 EDT
Turns out anaconda was losing the port information.  Changing component to
anaconda.  redhat-config-securitylevel should work fine once anaconda writes the
files out correctly.
Comment 7 Jeremy Katz 2003-10-15 14:35:58 EDT
Fixed in CVS
Comment 8 Jeremy Katz 2003-10-15 18:28:29 EDT
*** Bug 107214 has been marked as a duplicate of this bug. ***
Comment 9 Jeremy Katz 2003-10-15 18:57:38 EDT
*** Bug 107220 has been marked as a duplicate of this bug. ***
Comment 10 Christian Rose 2003-10-15 21:12:44 EDT
Still a problem with test3.
Comment 11 Jeremy Katz 2003-10-15 22:31:34 EDT
*** Bug 107240 has been marked as a duplicate of this bug. ***
Comment 12 Jeremy Katz 2003-10-16 14:07:27 EDT
*** Bug 107301 has been marked as a duplicate of this bug. ***
Comment 13 Jeremy Katz 2003-10-16 14:42:49 EDT
*** Bug 105998 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.