Red Hat Bugzilla – Bug 485086
[RFE] ssh default allowed by kickstart firewall
Last modified: 2011-07-21 02:51:53 EDT
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:184.108.40.206) Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5
When I specify "firewall --enabled" in a kickstart file, ssh is allowed even without specifying "firewall --enabled --ssh".
Steps to Reproduce:
Here are the specifics of how I install:
1. Create Vm config file using xen kernel & initrd and this command line:
ksdevice=eth0 vnc vncconnect=XXX headless ip=XXX netmask=255.255.255.0 gateway=XXX dns=XXX ks=http://.../server.cfg
2. server.cfg has "firewall --enabled"
2. Start the VM with xm create -c server
3. Wait for the install to finish
ssh is allowed in the firewall; from /etc/sysconfig/iptables:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport
22 -j ACCEPT
Allowed nothing through the firewall.
Right, this is by design. The reason being that for a lot of the enterprise customers, the only way to get into the machine after installation is via ssh. We don't want to lock people out of fresh installs. This is especially the case on s390 and similarly unusual architectures. It is perhaps a little unexpected, but we're definitely doing this for a reason.
Ok, in that case the firewall kickstart option should have a '--no-ssh' flag, since the '--ssh' flag is really the default anyway. Can this be made an RFE instead? Really, documenting the '--ssh' flag qualifies this as a bug, IMHO.
If you feel this is important, please raise it through your support representative which will allow us to make room in our schedules for addressing this issue. Thanks.
For my future reference, here's the patch:
@@ -305,13 +305,16 @@ class BaseInstallClass:
def setSELinux(self, id, sel):
- def setFirewall(self, id, enable = 1, trusts = , ports = ):
+ def setFirewall(self, id, enable = 1, trusts = , ports = , disableSsh = False):
id.firewall.enabled = enable
id.firewall.trustdevs = trusts
for port in ports:
+ if disableSsh:
def setMiscXSettings(self, id, depth = None, resolution = None,
desktop = None, runlevel = None):
diff --git a/kickstart.py b/kickstart.py
index 46c6c1f..5f40e61 100644
@@ -197,7 +197,7 @@ class AnacondaKSHandlers(KickstartHandlers):
dict = self.ksdata.firewall
self.id.instClass.setFirewall(self.id, dict["enabled"], dict["trusts"],
+ dict["ports"], disableSsh=dict["disableSsh"])
def doFirstboot(self, args):
Tested with pykickstart-1.68-1.el5 and anaconda-220.127.116.11-1. My ks.cfg contained:
firewall --enabled --no-ssh
ssh access was not configured in the firewall.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.