Bug 118667 - Saying no to firewall is ignored.
Saying no to firewall is ignored.
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Mike McLean
Depends On:
Blocks: FC2Blocker
  Show dependency treegraph
Reported: 2004-03-18 13:48 EST by Dave Jones
Modified: 2015-01-04 17:05 EST (History)
7 users (show)

See Also:
Fixed In Version: 1.3.8-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-08 12:26:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
/etc/sysconfig/iptables from 'firewall --disabled' kickstart install (605 bytes, text/plain)
2004-03-19 15:36 EST, Mike McLean
no flags Details
anaconds-ks.cfg (1.46 KB, text/plain)
2004-03-24 15:59 EST, Ben Levenson
no flags Details

  None (edit)
Description Dave Jones 2004-03-18 13:48:41 EST
Even though I chose not to install a firewall, and told it proceed
anyway without one, something decided I needed one anyway, so I
couldn't ssh into the box after installation unless I had done a
service iptables stop

Version-Release number of selected component (if applicable):

How reproducible:
This has happened before, though I thought it had gotten fixed already.
Comment 1 Jeremy Katz 2004-03-18 14:28:33 EST
I haven't seen this and I usually disable the firewall on my installs
:)  What sort of install did you do?  I need steps to be able to
Comment 2 Dave Jones 2004-03-19 06:38:55 EST
I booted yesterdays boot.iso for amd64, and did an nfs install.

Can't really think of any steps to follow other than 'say no to firewall'.
Comment 3 Mike McLean 2004-03-19 15:17:04 EST
Also observed in kickstart installs with 'firewall --disabled'.
Comment 4 Mike McLean 2004-03-19 15:19:19 EST
FWIW, the behavior seems to depend on which packages are installed. 
In particular, minimal installs do not have the unwanted firewall
rules in place and everything installs do.  

Maybe a package is doing this in %post?
Comment 5 Mike McLean 2004-03-19 15:36:37 EST
Created attachment 98694 [details]
/etc/sysconfig/iptables from 'firewall --disabled' kickstart install

I can't find anything in an package scripts that would do this.  Attaching the
offending iptables config.
Comment 6 Mike McLean 2004-03-19 15:44:26 EST
running /usr/bin/system-config-securitylevel-tui -qn --disabled gets
me the exact same /etc/sysconfig/iptables contents.  Reassigning bug.
Comment 7 Mike McLean 2004-03-19 16:39:05 EST
Brent, even with selinux in nonenforcing mode, running
'/usr/bin/system-config-securitylevel-tui -qn --disabled' yields the
same (nondisabled) firewall config.
Comment 8 Brent Fox 2004-03-19 17:17:12 EST
Looks like lokkit is ignoring the commandline options and is using
what's in the config file.  I think notting is looking at it.
Comment 9 Bill Nottingham 2004-03-19 17:34:47 EST
Fixed in 1.3.7-1.
Comment 10 Ben Levenson 2004-03-24 15:44:15 EST
I just installed from the latest tree. s-c-securitylevel-1.3.7-1 and
anaconda-9.91-6 are in the tree. I disabled the firewall during install
but I'm still firewalled out of the box.
Comment 11 Bill Nottingham 2004-03-24 15:45:39 EST
What's your anaconda-ks.cfg look like?
Comment 12 Ben Levenson 2004-03-24 15:59:35 EST
Created attachment 98837 [details]
Comment 14 Bill Nottingham 2004-03-24 16:24:46 EST
Fixed in 1.3.8-1.
Comment 15 Mike McLean 2004-03-24 16:35:26 EST
The command I gave above, '/usr/bin/system-config-securitylevel-tui
-qn --disabled', is working correctly in the installed system.  As is
'/usr/sbin/lokkit --quiet --nostart --disabled', which is the
invocation that anaconda uses.

Both these statements apply to version 1.3.7-1.
Comment 16 Mike McLean 2004-03-25 14:51:47 EST
Still seeing in -re0324.1
* system-config-securitylevel-tui-1.3.8-1.i386
* anaconda-9.91-6.i386

See above comment.  This could be anaconda.
Comment 18 Bill Nottingham 2004-04-07 16:54:52 EDT
Does this work better in post-test2 trees?
Comment 19 Dave Jones 2004-04-08 07:32:59 EDT
I'll try an install from todays tree later today.
Comment 20 Dave Jones 2004-04-08 12:23:22 EDT
Looks fixed to me.

Note You need to log in before you can comment on or make changes to this bug.