Description of problem: had a very nasty surprise when updating hts today. latest version just decides on it's own that I do not need a firewall. Errm, surely you jest sir and this is just an omission from testing. Version-Release number of selected component (if applicable): hts-5.2-20.el4 How reproducible: always Steps to Reproduce: 1. have a system that does HTS amongst other things (servers are not growing on trees, so a dedicated box is not an option here) 2. have a NIC in that system where certs are run against, that NIC has a -j ACCEPT iptables rule (as per the hts docs) 3. have another NIC for other functions where I most certainly want and need iptables 4. up2date system Actual results: [...] 13:hts ########################################### [100%] Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] [...] Loud swearing from me. Very very glad I did not trigger the update via RHN or I would not have been able to pull my firewall back up within 30 seconds. # rpm -q --scripts hts preinstall program: /bin/sh postinstall scriptlet (using /bin/sh): service iptables stop chkconfig iptables off disbelief and very very unhappy that you are now forcing me to do a full analysis of this system because you tore the firewall down. So now I have to check that indeed nothing happened in that time window. Expected results: Do not blindly disable a firewall. if the user has one enabled he probably knows what he is doing. s1-hts-important-notes.html is very clear for the user who does not know what he is doing. Additional info:
Created attachment 323909 [details] hts.spec.patch to remove %post that shuts down iptables
While I was never (and remain not) a fan of this brute force solution; have we verified that simply accepting whatever the state of the firewall is (more specifically the default install firewall configuration) works? I want to say the reason that the firewall was disabled is because one or more of the services used by the network test are blocked by default. If it works out of the box great, if not can we check the firewall and then request the user to provide a solution when we discover blocked ports/services which are required?