Bug 485086 - [RFE] ssh default allowed by kickstart firewall
[RFE] ssh default allowed by kickstart firewall
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: anaconda (Show other bugs)
All Linux
low Severity medium
: rc
: ---
Assigned To: Chris Lumens
Release Test Team
: FutureFeature, Reopened, Triaged
Depends On: 577334
Blocks: 668576 681944
  Show dependency treegraph
Reported: 2009-02-11 10:14 EST by David L. Parsley
Modified: 2011-07-21 02:51 EDT (History)
6 users (show)

See Also:
Fixed In Version: anaconda-
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 681944 703081 (view as bug list)
Last Closed: 2011-07-21 02:51:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David L. Parsley 2009-02-11 10:14:30 EST
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5

When I specify "firewall --enabled" in a kickstart file, ssh is allowed even without specifying "firewall --enabled --ssh".

Reproducible: Always

Steps to Reproduce:
Here are the specifics of how I install:
1. Create Vm config file using xen kernel & initrd and this command line:
ksdevice=eth0 vnc vncconnect=XXX headless ip=XXX netmask= gateway=XXX dns=XXX ks=http://.../server.cfg
2. server.cfg has "firewall --enabled"
2. Start the VM with xm create -c server
3. Wait for the install to finish
Actual Results:  
ssh is allowed in the firewall; from /etc/sysconfig/iptables:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
 22 -j ACCEPT

Expected Results:  
Allowed nothing through the firewall.
Comment 1 Chris Lumens 2009-02-12 10:56:56 EST
Right, this is by design.  The reason being that for a lot of the enterprise customers, the only way to get into the machine after installation is via ssh.  We don't want to lock people out of fresh installs.  This is especially the case on s390 and similarly unusual architectures.  It is perhaps a little unexpected, but we're definitely doing this for a reason.
Comment 2 David L. Parsley 2009-02-12 13:52:34 EST
Ok, in that case the firewall kickstart option should have a '--no-ssh' flag, since the '--ssh' flag is really the default anyway.  Can this be made an RFE instead?  Really, documenting the '--ssh' flag qualifies this as a bug, IMHO.
Comment 3 Chris Lumens 2010-05-25 09:57:16 EDT
If you feel this is important, please raise it through your support representative which will allow us to make room in our schedules for addressing this issue.  Thanks.
Comment 8 Chris Lumens 2011-03-03 11:53:39 EST
For my future reference, here's the patch:

--- a/installclass.py
+++ b/installclass.py
@@ -305,13 +305,16 @@ class BaseInstallClass:
     def setSELinux(self, id, sel):
-    def setFirewall(self, id, enable = 1, trusts = [], ports = []):
+    def setFirewall(self, id, enable = 1, trusts = [], ports = [], disableSsh = False):
        id.firewall.enabled = enable
        id.firewall.trustdevs = trusts
        for port in ports:
            id.firewall.portlist.append (port)
+        if disableSsh:
+            id.firewall.portlist.remove("22:tcp")
     def setMiscXSettings(self, id, depth = None, resolution = None,
                          desktop = None, runlevel = None):
diff --git a/kickstart.py b/kickstart.py
index 46c6c1f..5f40e61 100644
--- a/kickstart.py
+++ b/kickstart.py
@@ -197,7 +197,7 @@ class AnacondaKSHandlers(KickstartHandlers):
         KickstartHandlers.doFirewall(self, args)
         dict = self.ksdata.firewall
        self.id.instClass.setFirewall(self.id, dict["enabled"], dict["trusts"],
-                                      dict["ports"])
+                                      dict["ports"], disableSsh=dict["disableSsh"])
     def doFirstboot(self, args):
         KickstartHandlers.doFirstboot(self, args)
Comment 12 Alexander Todorov 2011-05-09 04:48:27 EDT
Tested with pykickstart-1.68-1.el5 and anaconda- My ks.cfg contained:
firewall --enabled --no-ssh

ssh access was not configured in the firewall.
Comment 13 errata-xmlrpc 2011-07-21 02:51:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.