Bug 118667 - Saying no to firewall is ignored.
Summary: Saying no to firewall is ignored.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel
Version: 2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-03-18 18:48 UTC by Dave Jones
Modified: 2015-01-04 22:05 UTC (History)
7 users (show)

Fixed In Version: 1.3.8-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-08 16:26:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/etc/sysconfig/iptables from 'firewall --disabled' kickstart install (605 bytes, text/plain)
2004-03-19 20:36 UTC, Mike McLean 		no flags Details
anaconds-ks.cfg (1.46 KB, text/plain)
2004-03-24 20:59 UTC, Ben Levenson 		no flags Details
View All

Description Dave Jones 2004-03-18 18:48:41 UTC 
Even though I chose not to install a firewall, and told it proceed
anyway without one, something decided I needed one anyway, so I
couldn't ssh into the box after installation unless I had done a
service iptables stop

Version-Release number of selected component (if applicable):


How reproducible:
This has happened before, though I thought it had gotten fixed already.
Comment 1 Jeremy Katz 2004-03-18 19:28:33 UTC 
I haven't seen this and I usually disable the firewall on my installs
:)  What sort of install did you do?  I need steps to be able to
reproduce.
Comment 2 Dave Jones 2004-03-19 11:38:55 UTC 
I booted yesterdays boot.iso for amd64, and did an nfs install.

Can't really think of any steps to follow other than 'say no to firewall'.
Comment 3 Mike McLean 2004-03-19 20:17:04 UTC 
Also observed in kickstart installs with 'firewall --disabled'.
Comment 4 Mike McLean 2004-03-19 20:19:19 UTC 
FWIW, the behavior seems to depend on which packages are installed. 
In particular, minimal installs do not have the unwanted firewall
rules in place and everything installs do.  

Maybe a package is doing this in %post?
Comment 5 Mike McLean 2004-03-19 20:36:37 UTC 
Created attachment 98694 [details]
/etc/sysconfig/iptables from 'firewall --disabled' kickstart install

I can't find anything in an package scripts that would do this.  Attaching the
offending iptables config.
Comment 6 Mike McLean 2004-03-19 20:44:26 UTC 
running /usr/bin/system-config-securitylevel-tui -qn --disabled gets
me the exact same /etc/sysconfig/iptables contents.  Reassigning bug.
Comment 7 Mike McLean 2004-03-19 21:39:05 UTC 
Brent, even with selinux in nonenforcing mode, running
'/usr/bin/system-config-securitylevel-tui -qn --disabled' yields the
same (nondisabled) firewall config.
Comment 8 Brent Fox 2004-03-19 22:17:12 UTC 
Looks like lokkit is ignoring the commandline options and is using
what's in the config file.  I think notting is looking at it.
Comment 9 Bill Nottingham 2004-03-19 22:34:47 UTC 
Fixed in 1.3.7-1.
Comment 10 Ben Levenson 2004-03-24 20:44:15 UTC 
I just installed from the latest tree. s-c-securitylevel-1.3.7-1 and
anaconda-9.91-6 are in the tree. I disabled the firewall during install
but I'm still firewalled out of the box.
Comment 11 Bill Nottingham 2004-03-24 20:45:39 UTC 
What's your anaconda-ks.cfg look like?
Comment 12 Ben Levenson 2004-03-24 20:59:35 UTC 
Created attachment 98837 [details]
anaconds-ks.cfg
Comment 14 Bill Nottingham 2004-03-24 21:24:46 UTC 
Fixed in 1.3.8-1.
Comment 15 Mike McLean 2004-03-24 21:35:26 UTC 
The command I gave above, '/usr/bin/system-config-securitylevel-tui
-qn --disabled', is working correctly in the installed system.  As is
'/usr/sbin/lokkit --quiet --nostart --disabled', which is the
invocation that anaconda uses.

Both these statements apply to version 1.3.7-1.
Comment 16 Mike McLean 2004-03-25 19:51:47 UTC 
Still seeing in -re0324.1
* system-config-securitylevel-tui-1.3.8-1.i386
* anaconda-9.91-6.i386

See above comment.  This could be anaconda.
Comment 18 Bill Nottingham 2004-04-07 20:54:52 UTC 
Does this work better in post-test2 trees?
Comment 19 Dave Jones 2004-04-08 11:32:59 UTC 
I'll try an install from todays tree later today.
Comment 20 Dave Jones 2004-04-08 16:23:22 UTC 
Looks fixed to me.
Note You need to log in before you can comment on or make changes to this bug.