Bug 105994 - wrong ports chosen for security configuration
Summary: wrong ports chosen for security configuration
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jeremy Katz
QA Contact: Mike McLean
: 107214 107220 107240 107301 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2003-10-01 21:05 UTC by John Reiser
Modified: 2007-11-30 22:10 UTC (History)
4 users (show)

Clone Of:
Last Closed: 2005-06-24 12:15:36 UTC

Attachments (Terms of Use)
/etc/sysconfig/iptables (605 bytes, text/plain)
2003-10-01 21:07 UTC, John Reiser
no flags Details
/etc/sysconfig/iptables after adding SSH (684 bytes, text/plain)
2003-10-02 04:33 UTC, John Reiser
no flags Details

Description John Reiser 2003-10-01 21:05:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703

Description of problem:
In the "security configuration" dialog during CD-ROM installation with "Update
Image Version 1.0" of anaconda [README Sep 29 13:21], I checked only the box for
SSH.  ("Enable firewall" was already checked.)  So, I was expecting port 22 to
be open.  However, port 22 was not open (ssh from another machine could not
reach the new install), and instead ports 50 and 51 (remote mail check) were
open.  So the list of check boxes in the dialog does not line up with the list
of ports in the script.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. New install Fedora Core Test2.
2. Check only SSH on the security configuration "firewall" page.  (Leave 
"firewall enabled" on.)
3. Inspect /etc/sysconfig/iptables when installation finishes.

Actual Results:  /etc/sysconfig/iptables does not have port 22 open, so SSH does
not see any requests from the network.  Also, ports 50 and 51 _are_ open.

Expected Results:  Port 22 should be open for SSH.  Ports 50 and 51 should not
be open.

Additional info:

Comment 1 John Reiser 2003-10-01 21:07:38 UTC
Created attachment 94850 [details]

has ports 50 and 51 (remote mail check) open, instead of the requested port 22

Comment 2 Bill Nottingham 2003-10-01 22:18:56 UTC
That's not ports 50 and 51, it's *protocols* 50 and 51 (IPSEC).

Comment 3 John Reiser 2003-10-01 23:05:59 UTC
OK, "50" and "51" may refer to IPSEC, and perhaps that is supposed to enable ssh
to work, but the firewall still prevents ssh from receiving requests from the
$ ssh  # machine running RedHat 9 tries to access the new Fedora
Core Test2 install
ssh: connect to host port 22: No route to host

Now, add the line
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
to the Fedora /etc/sysconfig/iptables, also /sbin/service iptables restart,
and then the RH9 machine can ssh to the Fedora machine.

So, the default is that SSH connectivity is broken from RH9 to Fedora Test2,
even when SSH is enabled in the firewall configuration dialog of a Fedora Test2

This was working in Severn Beta1, and the regression is disappointing.  This
does not appear to be an instance of the UTF-8 problem that is mentioned in the
Release Notes for Fedora Core Test2.

Comment 4 John Reiser 2003-10-02 04:32:00 UTC
After install, redhat-config-securtitylevel is inconsistent with the choice made
during anaconda install.  I run RedHat > System Settings > Security Level, and
see that "Enable firewall" is pre-chosen, but no service is Trusted; during
install I had picked SSH.

Checking SSH, clicking OK, and acknowledging the warning about erasing all
previous settings, gives an /etc/sysconfig/iptables that contains [I will attach
the full file]
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
That was from  redhat-config-securitylevel-1.2.8-2 .

So, the anaconda dialog and the -config application are not in sync, either.

Comment 5 John Reiser 2003-10-02 04:33:55 UTC
Created attachment 94868 [details]
/etc/sysconfig/iptables after adding SSH

using redhat-config-securitylevel-1.2.8-2

Comment 6 Brent Fox 2003-10-15 18:25:21 UTC
Turns out anaconda was losing the port information.  Changing component to
anaconda.  redhat-config-securitylevel should work fine once anaconda writes the
files out correctly.

Comment 7 Jeremy Katz 2003-10-15 18:35:58 UTC
Fixed in CVS

Comment 8 Jeremy Katz 2003-10-15 22:28:29 UTC
*** Bug 107214 has been marked as a duplicate of this bug. ***

Comment 9 Jeremy Katz 2003-10-15 22:57:38 UTC
*** Bug 107220 has been marked as a duplicate of this bug. ***

Comment 10 Christian Rose 2003-10-16 01:12:44 UTC
Still a problem with test3.

Comment 11 Jeremy Katz 2003-10-16 02:31:34 UTC
*** Bug 107240 has been marked as a duplicate of this bug. ***

Comment 12 Jeremy Katz 2003-10-16 18:07:27 UTC
*** Bug 107301 has been marked as a duplicate of this bug. ***

Comment 13 Jeremy Katz 2003-10-16 18:42:49 UTC
*** Bug 105998 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.