Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1411639 - manually adding ports vs. standard firewalld services
Summary: manually adding ports vs. standard firewalld services
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: doc-Linux_Domain_Identity_Management_Guide
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Aneta Šteflová Petrová
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-10 08:20 UTC by mpanaous
Modified: 2020-02-14 18:26 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-14 09:36:09 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description mpanaous 2017-01-10 08:20:08 UTC
Description of problem:
In section 2.1.4. Port Requirements of https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html, I expect to see that standard firewalld services are used instead of directly adding ports to the firewall.

Version-Release number of selected component (if applicable):


How reproducible:
-

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
the exact same as opening the ports with the already described way 

Additional info:

** cst is proposing this 

firewall-cmd --add-service=freeipa-ldap --permanent
firewall-cmd --add-service=freeipa-ldaps --permanent
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload


** as seen in the doc:

"Table 2.1. Identity Management Ports"

Service 	Ports 	        Protocol
HTTP/HTTPS 	80, 443 	TCP
LDAP/LDAPS 	389, 636 	TCP
Kerberos 	88, 464 	TCP and UDP
DNS 	        53 	        TCP and UDP
NTP 	        123 	        UDP

[root@server ~]# firewall-cmd --permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,464/tcp,53/tcp,88/udp,464/udp,53/udp,123/udp}


** as seen in my VM

[root@ipa1 ~]# cat /usr/lib/firewalld/services/freeipa-ldap.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FreeIPA with LDAP</short>
  <description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAP protocol. You can also enable the 'freeipa-ldaps' service if you want to provide the LDAPS protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="464"/>
  <port protocol="udp" port="464"/>
  <port protocol="udp" port="123"/>
  <port protocol="tcp" port="389"/>
</service>

[root@ipa1 ~]# cat /usr/lib/firewalld/services/freeipa-ldaps.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>FreeIPA with LDAPS</short>
  <description>FreeIPA is an LDAP and Kerberos domain controller for Linux systems. Enable this option if you plan to provide a FreeIPA Domain Controller using the LDAPS protocol. You can also enable the 'freeipa-ldap' service if you want to provide the LDAP protocol. Enable the 'dns' service if this FreeIPA server provides DNS services and 'freeipa-replication' service if this FreeIPA server is part of a multi-master replication setup.</description>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="443"/>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="464"/>
  <port protocol="udp" port="464"/>
  <port protocol="udp" port="123"/>
  <port protocol="tcp" port="636"/>
</service>

 
[root@ipa1 ~]# cat /usr/lib/firewalld/services/dns.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>DNS</short>
  <description>The Domain Name System (DNS) is used to provide and request host and domain names. Enable this option, if you plan to provide a domain name service (e.g. with bind).</description>
  <port protocol="tcp" port="53"/>
  <port protocol="udp" port="53"/>
</service>

Comment 6 Aneta Šteflová Petrová 2017-03-14 09:36:09 UTC
The update is now available on the Customer Portal.


Note You need to log in before you can comment on or make changes to this bug.