User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.5) Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5 When I specify "firewall --enabled" in a kickstart file, ssh is allowed even without specifying "firewall --enabled --ssh". Reproducible: Always Steps to Reproduce: Here are the specifics of how I install: 1. Create Vm config file using xen kernel & initrd and this command line: ksdevice=eth0 vnc vncconnect=XXX headless ip=XXX netmask=255.255.255.0 gateway=XXX dns=XXX ks=http://.../server.cfg 2. server.cfg has "firewall --enabled" 2. Start the VM with xm create -c server 3. Wait for the install to finish Actual Results: ssh is allowed in the firewall; from /etc/sysconfig/iptables: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT Expected Results: Allowed nothing through the firewall.
Right, this is by design. The reason being that for a lot of the enterprise customers, the only way to get into the machine after installation is via ssh. We don't want to lock people out of fresh installs. This is especially the case on s390 and similarly unusual architectures. It is perhaps a little unexpected, but we're definitely doing this for a reason.
Ok, in that case the firewall kickstart option should have a '--no-ssh' flag, since the '--ssh' flag is really the default anyway. Can this be made an RFE instead? Really, documenting the '--ssh' flag qualifies this as a bug, IMHO.
If you feel this is important, please raise it through your support representative which will allow us to make room in our schedules for addressing this issue. Thanks.
For my future reference, here's the patch: --- a/installclass.py +++ b/installclass.py @@ -305,13 +305,16 @@ class BaseInstallClass: def setSELinux(self, id, sel): id.security.setSELinux(sel) - def setFirewall(self, id, enable = 1, trusts = [], ports = []): + def setFirewall(self, id, enable = 1, trusts = [], ports = [], disableSsh = False): id.firewall.enabled = enable id.firewall.trustdevs = trusts for port in ports: id.firewall.portlist.append (port) - + + if disableSsh: + id.firewall.portlist.remove("22:tcp") + def setMiscXSettings(self, id, depth = None, resolution = None, desktop = None, runlevel = None): diff --git a/kickstart.py b/kickstart.py index 46c6c1f..5f40e61 100644 --- a/kickstart.py +++ b/kickstart.py @@ -197,7 +197,7 @@ class AnacondaKSHandlers(KickstartHandlers): KickstartHandlers.doFirewall(self, args) dict = self.ksdata.firewall self.id.instClass.setFirewall(self.id, dict["enabled"], dict["trusts"], - dict["ports"]) + dict["ports"], disableSsh=dict["disableSsh"]) def doFirstboot(self, args): KickstartHandlers.doFirstboot(self, args)
Tested with pykickstart-1.68-1.el5 and anaconda-11.1.2.232-1. My ks.cfg contained: firewall --enabled --no-ssh ssh access was not configured in the firewall.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0984.html