Red Hat Bugzilla – Bug 105994
wrong ports chosen for security configuration
Last modified: 2007-11-30 17:10:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703
Description of problem:
In the "security configuration" dialog during CD-ROM installation with "Update
Image Version 1.0" of anaconda [README Sep 29 13:21], I checked only the box for
SSH. ("Enable firewall" was already checked.) So, I was expecting port 22 to
be open. However, port 22 was not open (ssh from another machine could not
reach the new install), and instead ports 50 and 51 (remote mail check) were
open. So the list of check boxes in the dialog does not line up with the list
of ports in the script.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. New install Fedora Core Test2.
2. Check only SSH on the security configuration "firewall" page. (Leave
"firewall enabled" on.)
3. Inspect /etc/sysconfig/iptables when installation finishes.
Actual Results: /etc/sysconfig/iptables does not have port 22 open, so SSH does
not see any requests from the network. Also, ports 50 and 51 _are_ open.
Expected Results: Port 22 should be open for SSH. Ports 50 and 51 should not
Created attachment 94850 [details]
has ports 50 and 51 (remote mail check) open, instead of the requested port 22
That's not ports 50 and 51, it's *protocols* 50 and 51 (IPSEC).
OK, "50" and "51" may refer to IPSEC, and perhaps that is supposed to enable ssh
to work, but the firewall still prevents ssh from receiving requests from the
$ ssh 192.168.0.5 # machine running RedHat 9 tries to access the new Fedora
Core Test2 install
ssh: connect to host 192.168.0.5 port 22: No route to host
Now, add the line
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
to the Fedora /etc/sysconfig/iptables, also /sbin/service iptables restart,
and then the RH9 machine can ssh to the Fedora machine.
So, the default is that SSH connectivity is broken from RH9 to Fedora Test2,
even when SSH is enabled in the firewall configuration dialog of a Fedora Test2
This was working in Severn Beta1, and the regression is disappointing. This
does not appear to be an instance of the UTF-8 problem that is mentioned in the
Release Notes for Fedora Core Test2.
After install, redhat-config-securtitylevel is inconsistent with the choice made
during anaconda install. I run RedHat > System Settings > Security Level, and
see that "Enable firewall" is pre-chosen, but no service is Trusted; during
install I had picked SSH.
Checking SSH, clicking OK, and acknowledging the warning about erasing all
previous settings, gives an /etc/sysconfig/iptables that contains [I will attach
the full file]
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
That was from redhat-config-securitylevel-1.2.8-2 .
So, the anaconda dialog and the -config application are not in sync, either.
Created attachment 94868 [details]
/etc/sysconfig/iptables after adding SSH
Turns out anaconda was losing the port information. Changing component to
anaconda. redhat-config-securitylevel should work fine once anaconda writes the
files out correctly.
Fixed in CVS
*** Bug 107214 has been marked as a duplicate of this bug. ***
*** Bug 107220 has been marked as a duplicate of this bug. ***
Still a problem with test3.
*** Bug 107240 has been marked as a duplicate of this bug. ***
*** Bug 107301 has been marked as a duplicate of this bug. ***
*** Bug 105998 has been marked as a duplicate of this bug. ***