Red Hat Bugzilla – Bug 1161682
No /etc/sysconfig/iptables after RHEL 6.6 minimal install
Last modified: 2016-09-07 11:32:55 EDT
When doing a minimal install of RHEL 6.6 from the boot.iso, there is no /etc/sysconfig/iptables and therefore no default firewall installed on reboot,
Created attachment 955008 [details] Various install logs for the minimal install on a VM
/etc/sysconfig/iptables and /etc/sysconfig/ip6tables are not provided by the iptables and iptables-ipv6 packages. These files are created by anaconda at installation time.
They did not get created on the install in question .. maybe the component should be changed to anaconda. I took boot.iso ... booted it and pointed to the os/ directory, picked a 'minimal install' and then there is no ip6tables or iptables file after install.
I installed from rhel-server-6.6-x86_64-dvd.iso using a "Minimal" option. There is no ip6tables or iptables file in /etc/sysconfig.
So, the issue here is that when the "Minimal" Install option is selected in a RHEL-6.6 server install iso (either network install or ISO install), there is no iptables or ip6tables files created in /etc/sysconfig/ as part of the install. This means there is a blank firewall on startup after reboot. Should I change the "component" field of this bug to anaconda?
I would say "yes" for further verification.
Not sure if this is exactly related, but this also occurs when doing a kickstart install. If you use a kickstart config file with a valid "firewall" line in it, the settings appear to be processed (they end up in /root/anaconda-ks.cfg), but the same thing happens on reboot, no /etc/sysconfig/iptables is created and the specified firewall rules are not applied.
Anaconda uses the lokkit command to set firewall and SELinux configurations during Kickstart installations. Note that the anaconda.log file attached to this bug report contain errors like: ERROR : Error running /usr/sbin/authconfig: No such file or directory ERROR : Error running /usr/sbin/lokkit: No such file or directory It seems that package dependencies in the new 6.6 release fail to automatically pull in authconfig and system-config-firewall-base packages when doing a minimal install. Please try and see whether adding "system-config-firewall-base" to your package installation list solves your firewall issue.
As a workaround you can add the following packages explicitly in your ks.cfg kickstart file until an official fix is available. authconfig system-config-firewall-base
Documented in the following knowledge article: No /etc/sysconfig/iptables after RHEL 6.6 minimal install https://access.redhat.com/solutions/1361093
This issue needs to be addressed via the kickstart %packages section. The minimum package set is deliberately kept very small because it's used as part of the RHEL certification processes like FIPS, among others. This Minimal package set may appear to be missing packages but this is intentinal. The Minimal package set can not be altered and we can not automatically flag additional packages for inclusion if the user has selected Minimal. The work around is to use kickstart and install the additional packages needed utilizing the %packages section.
I can't agree that this major security issue will be closed with NOTABUG. RHEL 6.6 release notes do not mention neither on networking nor on security that local firewalling is no longer configured by anaconda in case of "minimal" setup and therefore in case additional RPMs are installed which are not restricted to localhost by default config (or can't be, like rpcbind) are suddenly accessable from outside: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.6_Release_Notes/ => very unexpected behavior change! Also it's sure not security best-practice to leave a fresh installation without a local firewalling, even it is "minimal". If it is a problem with the package selection for "minimal", anaconda team should urgently rethink whether it is a proper way to create a minimum local firewall configuration by using lokkit and it's dependencies for a small bunch of lines permitting only SSH and reject/drop the rest. The recommendation to use a custom kickstart file to get local firewalling back for a "minimal" installation is imho an overkill. Suggestion: include 2 default file contents for /etc/sysconfig/iptables and /etc/sysconfig/ip6tables as created with EL < 6.6 by anaconda and apply them and all would be fine.
*** Bug 1169976 has been marked as a duplicate of this bug. ***
Posted a slightly modified version of the proposed patch for review.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
would there be a respin of EL 6.6 (e.g. 6.6.1) ISO images or do we have to wait for 6.7?
After comment #17 was posted here, there was discovery of this bug affecting some other installation use cases. That required us to re-evaluate the possibility of a small fix to address the issue. This was proposed and tested but determined to be ineffective. Therefore, the proposed change was reverted and the situation explained in comment #17 still holds for RHEL 6.7.
I've added an admonition ("Warning"): == Minimal installation currently does not configure the firewall (iptables/ip6tables) by default because the authconfig and system-config-firewall-base packages are missing from the selection. To work around this issue, you can use a Kickstart file to add these packages to your selection. See the Red Hat Customer Portal for details about the workaround, and Chapter 32, Kickstart Installations for information about Kickstart files. If you do not use the workaround, the installation will complete successfully, but no firewall will be configured, presenting a security risk. == The admonition appears in all sections of the book discussing package selection (and the minimal/core pkg group): 9.17. Package Group Selection, 16.19. Package Group Selection, 23.17. Package Group Selection and 32.5. Package Selection (Kickstart).
It might also be helpful, if this is not going to be fixed due to packages required for certifications, that what is normally the default /usr/sysconfig/iptables file be included as an attachment in the /usr/share/doc/iptables* as an example, and documented.
(or ip6tables) as well.
(In reply to Chris Williams from comment #17) > This issue needs to be addressed via the kickstart %packages section. > The minimum package set is deliberately kept very small because it's used as > part of the RHEL certification processes like FIPS, among others. > This Minimal package set may appear to be missing packages but this is > intentinal. The Minimal package set can not be altered and we can not > automatically flag additional packages for inclusion if the user has > selected Minimal. The work around is to use kickstart and install the > additional packages needed utilizing the %packages section. This still doesn't address a common use-case, thus propagating Red Hat systems that are surprisingly and dangerously misconfigured, at some cost to the Red Hat brand. I suggest (1) Leave the minimal package set contents untouched, addressing the certification issue. (2) Rename "minimal" to "minimal (unsafe)" or something palatable. (3) Define an additional "minimal secure" package set.
I was the reporter of #1169976, which has rightly been rolled into this bug. First, let me say that I strongly support Red Hat's efforts in the package minimization area. I find it hard to agree with Chris' comment #17, though. This *worked* in previous versions of RHEL, even into the 6.x series. It only broke in RHEL 6.6. It also violates the principle of least surprise, *especially* for long-time users of kickstart. Although I think it should be "fixed", I'm not very hopeful that's going to happen, which I why I'm mainly arguing the point that if you're not going to fix it, you better do a great job of documenting the new, unintuitive behavior. Petr has taken a good step in that direction, but so far it's not complete. "authconfig" is mentioned only in relation to the firewall, even though authconfig has nothing to do with the firewall. Also, these are the only two kickstart keywords (authconfig, firewall) that *so far* have been reported as not working in a minimal install, because required packages are no longer auto-included when the anaconda keyword/command is used. Do we know for certain that this is the complete list? Are there other anaconda commands that are also now broken, because they too aren't getting the necessary packages included during a minimal install? I like all the sections that Petr has this admonition applied to, but I also think it would help a lot of Kickstart users if there were separate admonitions after each of the anaconda options in Section 32.4 (firewall, authconfig, any others that we haven't discovered yet that are broken) saying something like: for "auth or authconfig" == Warning: the authconfig option requires the authconfig package, which is not included when using the minimal package group. You must add authconfig to the %packages list for the anaconda authconfig option to succeed. == for "firewall" == Warning: the firewall option requires the system-config-firewall-base package, which is not included when using the minimal package group. You must add system-config-firewall-base to the %packages list for the anaconda firewall option to succeed. == Ditto for any other anaconda options that are now broken for minimal installs.
Hmm, looks like nothing is really progressing, what I can't understand. 1) Red Hat sells an Enterprise Linux 2) suddenly by accident (and imho not so well running QA process) in a minor release the default firewall protection on a minimal install disappears 3) Current proposed wokaround: updating release notes (weeks after the release) telling customers: sorry for that, this basic default protection disappears, please use a custom kickstart (which requires either modified ISO images, or USB/Floppy or network access during install) ...and background for that is, that package list was reduced and because default firewall protection is generated during installation by anaconda using an external "sophisticated" toolset, which is no longer packaged in minimal install... As I wrote previously: why is Red Hat unable to extend anaconda to create in minimal installation case 2 simple default IPv4/IPv6 iptables configs with well-known contents and store them in related directories? Will file a support ticket next week regarding that issue. BTW: perhaps the CentOS team is more flexible and can fix the issue inbetween at least on their rebuilds. BTW2: even Microsoft has on Windows Server Core the local firewall active http://blogs.technet.com/b/server_core/archive/2008/01/02/configuring-the-firewall-on-server-core-for-remote-management.aspx
Filed now case 01437755 in Red Hat Customer Portal related to that issue
The reasoning for this change of behavior and the workaround solution is explained in https://access.redhat.com/solutions/1361093. Essentially, add this to your kickstart: %packages @core authconfig system-config-firewall-base Reasoning: authconfig and system-config-firewall-base packages were installed by default until Red Hat Enterprise Linux 6.5. But, the behaviour was changed in Red Hat Enterprise Linux 6.6. That package set is *deliberately* kept very small because it's used as part of the RHEL certification processes (FIPS, and so on). We cannot alter the definition of the Minimal set nor can we automatically flag additional packages for inclusion if the user has selected Minimal.
(In reply to Terry Bowling from comment #38) This is still not a proper solution. There are use cases where no kickstart "extension" is involved, only original ISO is used to install a minimal Enterprise Linux. I can agree, that because of certification processes packet set would be kept small as possible. But I can't agree that the resulting installation has no active firewall configuration. If the old and complex way of setup a basic ruleset for activation of local firewall is not possible with that small package set, then simply a different (also simple) solution must be introduced which (re-)enable a basic active firewall configuration. BTW: I would very wonder that with the current behavior a FIPS certification (and other security related ones) will be reached if OS after minimal installation has no local firewall ruleset active...because that's a major security issue totally against best security practice.
Released as part of the RHEL6.7 GA release.
Hello everyone, I have completely missed the discussion that happened here after comment #29. Please note that this bug has been reassigned from the "anaconda" component, which is used by the installer development team, to the "doc-Installation_Guide" component which is only used by writers to track documentation issues. I'll add the parts suggested by Tim Mooney in c#34 into the Installation Guide as well - those are good points. However, that's all I can really do - I can't do anything about the underlying issue, I can only document it. See comment #38 for justification of this change in behavior and reasons why this won't be reverted to pre-6.6 behavior.
The changes look good to me.
a mitigation is to run, as root, the following 3 commands: yum install system-config-firewall-base lokkit --default=server service iptables restart