From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703 Description of problem: In the "security configuration" dialog during CD-ROM installation with "Update Image Version 1.0" of anaconda [README Sep 29 13:21], I checked only the box for SSH. ("Enable firewall" was already checked.) So, I was expecting port 22 to be open. However, port 22 was not open (ssh from another machine could not reach the new install), and instead ports 50 and 51 (remote mail check) were open. So the list of check boxes in the dialog does not line up with the list of ports in the script. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. New install Fedora Core Test2. 2. Check only SSH on the security configuration "firewall" page. (Leave "firewall enabled" on.) 3. Inspect /etc/sysconfig/iptables when installation finishes. Actual Results: /etc/sysconfig/iptables does not have port 22 open, so SSH does not see any requests from the network. Also, ports 50 and 51 _are_ open. Expected Results: Port 22 should be open for SSH. Ports 50 and 51 should not be open. Additional info:
Created attachment 94850 [details] /etc/sysconfig/iptables has ports 50 and 51 (remote mail check) open, instead of the requested port 22 (SSH).
That's not ports 50 and 51, it's *protocols* 50 and 51 (IPSEC).
OK, "50" and "51" may refer to IPSEC, and perhaps that is supposed to enable ssh to work, but the firewall still prevents ssh from receiving requests from the network: ----- $ ssh 192.168.0.5 # machine running RedHat 9 tries to access the new Fedora Core Test2 install ssh: connect to host 192.168.0.5 port 22: No route to host ----- Now, add the line -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT to the Fedora /etc/sysconfig/iptables, also /sbin/service iptables restart, and then the RH9 machine can ssh to the Fedora machine. So, the default is that SSH connectivity is broken from RH9 to Fedora Test2, even when SSH is enabled in the firewall configuration dialog of a Fedora Test2 install. This was working in Severn Beta1, and the regression is disappointing. This does not appear to be an instance of the UTF-8 problem that is mentioned in the Release Notes for Fedora Core Test2.
After install, redhat-config-securtitylevel is inconsistent with the choice made during anaconda install. I run RedHat > System Settings > Security Level, and see that "Enable firewall" is pre-chosen, but no service is Trusted; during install I had picked SSH. Checking SSH, clicking OK, and acknowledging the warning about erasing all previous settings, gives an /etc/sysconfig/iptables that contains [I will attach the full file] ----- -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT ----- That was from redhat-config-securitylevel-1.2.8-2 . So, the anaconda dialog and the -config application are not in sync, either.
Created attachment 94868 [details] /etc/sysconfig/iptables after adding SSH using redhat-config-securitylevel-1.2.8-2
Turns out anaconda was losing the port information. Changing component to anaconda. redhat-config-securitylevel should work fine once anaconda writes the files out correctly.
Fixed in CVS
*** Bug 107214 has been marked as a duplicate of this bug. ***
*** Bug 107220 has been marked as a duplicate of this bug. ***
Still a problem with test3.
*** Bug 107240 has been marked as a duplicate of this bug. ***
*** Bug 107301 has been marked as a duplicate of this bug. ***
*** Bug 105998 has been marked as a duplicate of this bug. ***