Bug 1120296 - Fedora Server firewall configuration incorrect
Summary: Fedora Server firewall configuration incorrect
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 21
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
Whiteboard: AcceptedBlocker
Depends On: 1117965
Blocks: F21AlphaBlocker
TreeView+ depends on / blocked
Reported: 2014-07-16 16:34 UTC by Adam Williamson
Modified: 2014-07-22 09:06 UTC (History)
6 users (show)

Fixed In Version: firewalld-0.3.10-3.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-22 09:06:46 UTC

Attachments (Terms of Use)

Description Adam Williamson 2014-07-16 16:34:08 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1117965 was proposed as a Fedora 21 Alpha release blocker, but we felt really the blocker is *this* bug, and this one depends on that.

This bug is simply that the Fedora Server firewall configuration as described at https://fedoraproject.org/wiki/Server/Technical_Specification#Firewall and enforced as an Alpha release criterion - https://fedoraproject.org/wiki/Fedora_21_Alpha_Release_Criteria#Firewall_configuration , "After system installation without explicit firewall configuration, the system firewall must be active on all non-loopback interfaces. The only ports which may be open to incoming traffic are port 22 (ssh), port XX (Cockpit web interface), and any ports associated with server Roles selected during installation. Supported install-time firewall configuration options must work correctly." - must be implemented for Fedora 21 Alpha. As this requires a per-Product configuration mechanism, this bug depends on #1117965 .

Accepted as a blocker at the 2014-07-16 blocker review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-07-16/f21-blocker-review.2014-07-16-15.59.log.txt .

Comment 1 Miloslav Trmač 2014-07-21 18:37:33 UTC
The packaging draft has been approved; isn’t this now up to firewalld packaging, i.e. Thomas?

Comment 2 Stephen Gallagher 2014-07-21 18:55:30 UTC
The latest builds of firewalld are following the new packaging draft and appear to contain the appropriate firewall defaults. Closing this ticket (please reopen it if any of the defaults are incorrect).

Comment 3 Miloslav Trmač 2014-07-21 19:27:44 UTC
(In reply to Stephen Gallagher from comment #2)
> The latest builds of firewalld are following the new packaging draft and
> appear to contain the appropriate firewall defaults.
The packaging works (i.e. firewalld-config-server gets installed), but the defaults do not:
> ERROR: Default zone 'FedoraServerpublic' is not valid.  Using 'public'.
Needs s/public//.

(Also, the zone internally calls itself "Public"; it probably shouldn’t.)

Comment 4 Thomas Woerner 2014-07-22 09:06:46 UTC
Fixed in F21 and rawhide in package firewalld-0.3.10-5 or newer.

Note You need to log in before you can comment on or make changes to this bug.