While the FreeIPA installation instructions list the ports through which the firewall should allow traffic, it would be helpful if the ipa-server-install execution would configure the firewall. I understand that there are several options for firewall that a system could use, but perhaps it could look for firewalld, which appears to be the firewall of choice in Fedora 18, and configure it if present? I know that means editting an XML file as there is no command line tool for editting the firewalld persistent configuration. firewall-config # tcp udp service description # ---- ---- -------- -------------- # # 53 53 domain Domain Name Server # # 80 http World Wide Web HTTP # 88 88 kerberos Kerberos # 123 ntp Network Time Protocol # 389 ldap Lightweight Directory Access Protocol # # 443 https World Wide Web HTTP over SSL # 464 464 kpasswd kpasswd # 636 ldaps Lightweight Directory Access Protocol over SSL In the meantime, do you have a source for the required service XML configuration files that are not included with frewalld? I could write them, starting by copying an existing file and editting it, but it would be ever so much less prone to error if I did not have to. I guess this is not really a bug, but something that would improve the life of system administrators installing FreeIPA. I did not know how else to raise awareness.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2110
With the recent updates to firewall-cmd this is what my IPA server installation script looks like: # Install IPA server yum install --assumeyes freeipa-server bind bind-dyndb-ldap ipa-server-install \ --admin-password adminpassword \ --domain hunter.org \ --ds-password dspassword \ --hostname ipa.hunter.org \ --no-forwarders \ --no-ntp \ --realm HUNTER.ORG \ --setup-dns \ --unattended cat >/etc/firewalld/services/kerberos.xml <<EOD <?xml version="1.0" encoding="utf-8"?> <service> <short>kerberos</short> <description>Kerberos</description> <port protocol="tcp" port="88"/> <port protocol="udp" port="88"/> </service> EOD cat >/etc/firewalld/services/kpasswd.xml <<EOD <?xml version="1.0" encoding="utf-8"?> <service> <short>kpasswd</short> <description>kpasswd</description> <port protocol="tcp" port="464"/> <port protocol="udp" port="464"/> </service> EOD cat >/etc/firewalld/services/ldap.xml <<EOD <?xml version="1.0" encoding="utf-8"?> <service> <short>ldap</short> <description>Lightweight Directory Access Protocol</description> <port protocol="tcp" port="389"/> </service> EOD cat >/etc/firewalld/services/ldaps.xml <<EOD <?xml version="1.0" encoding="utf-8"?> <service> <short>ldaps</short> <description>Lightweight Directory Access Protocol over SSL</description> <port protocol="tcp" port="636"/> </service> EOD firewall-cmd --permanent --zone=public --add-service=dns firewall-cmd --permanent --zone=public --add-service=http firewall-cmd --permanent --zone=public --add-service=https firewall-cmd --permanent --zone=public --add-service=kerberos firewall-cmd --permanent --zone=public --add-service=kpasswd firewall-cmd --permanent --zone=public --add-service=ldap firewall-cmd --permanent --zone=public --add-service=ldaps firewall-cmd --permanent --zone=public --add-service=ntp firewall-cmd --reload If you do not want to update the firewall, could you at least provide the service XML files with better descriptions?
Hello Dean, thanks for the example. We do want to update the firewall, it is already suggested in the FreeIPA ticket referred by this ticket. It will be most probably done with the use of firewall-cmd you showed above. It could be run in ipa-{server,replica,client}-install. We just need to create the service xmls in some reliable way so that the files do not clash with other projects. This ticket is not currently targeted for the next release, I can brought this topic up in our Triage meeting to change its targeting. However, if you would want to have it in FreeIPA earlier, you may want to consider contributing to the project, patches are always welcome!
Thank you for the update. I am not overly concerned about when the feature is added to the IPA install. I just added the information because I had compiled a list of products for which I had to perform similar actions. I have opened 914859 requesting additional service XML files from the firewalld folks for those services that I found missing. At this point IPA is consistent with other product implementations. In the coming year I hope to learn enough Python so that I might participate, but I am not qualified just yet. Again, thank you for the update and keep up the good work.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This RFE is still valid for current Fedora version, changing the version field.
It appears that firewalld has the service files in Fedora 20+. Not sure when they got added, but seems like someone should mention it. Will add this comment to upstream ticket too.
Check #914859
Ah, I see: # ll /usr/lib/firewalld/services/freeipa-* -rw-r-----. 1 root root 836 Oct 14 12:42 /usr/lib/firewalld/services/freeipa-ldaps.xml -rw-r-----. 1 root root 836 Oct 14 12:42 /usr/lib/firewalld/services/freeipa-ldap.xml -rw-r-----. 1 root root 315 Oct 14 12:42 /usr/lib/firewalld/services/freeipa-replication.xml I am not convinced they are completely correct though, for example freeipa-replication.xml is only needed for replication with FreeIPA < 3.1 (i.e. RHEL/CentOS 6.x), the newer FreeIPA versions already replicate PKI information over standard 389 port. Also note that community member already did a first designing work for the FreeIPA feature: http://www.freeipa.org/page/V4/Firewall_Configuration
I am certain a number of improvements could be made to the service files I suggested. They were my best guess from the documentation and other information available to me at the time. I was trying to answer the question about when the service files for IPA were included with firewalld. I probably should have been a little more verbose. Best wishes on your continued development of a very fine product.
This message is a reminder that Fedora 20 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 20. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '20'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 20 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
If there are more changes required to add to firewalld configuration, please open a new bugzilla to address specific changes.