https://bugzilla.redhat.com/show_bug.cgi?id=1117965 was proposed as a Fedora 21 Alpha release blocker, but we felt really the blocker is *this* bug, and this one depends on that.
This bug is simply that the Fedora Server firewall configuration as described at https://fedoraproject.org/wiki/Server/Technical_Specification#Firewall and enforced as an Alpha release criterion - https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Firewall_configuration , "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces. The only ports which may be open to incoming traffic are port 22 (ssh), port XX (Cockpit web interface), and any ports associated with server Roles selected during installation. Supported install-time firewall configuration options must work correctly." - must be implemented for Fedora 21 Alpha. As this requires a per-Product configuration mechanism, this bug depends on #1117965 .
Accepted as a blocker at the 2014-07-16 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-07-16/f21-blocker-review.2014-07-16-15.59.log.txt .
The packaging draft has been approved; isn’t this now up to firewalld packaging, i.e. Thomas?
The latest builds of firewalld are following the new packaging draft and appear to contain the appropriate firewall defaults. Closing this ticket (please reopen it if any of the defaults are incorrect).
(In reply to Stephen Gallagher from comment #2)
> The latest builds of firewalld are following the new packaging draft and
> appear to contain the appropriate firewall defaults.
The packaging works (i.e. firewalld-config-server gets installed), but the defaults do not:
> ERROR: Default zone 'FedoraServerpublic' is not valid. Using 'public'.
(Also, the zone internally calls itself "Public"; it probably shouldn’t.)
Fixed in F21 and rawhide in package firewalld-0.3.10-5 or newer.