Description of problem: I'm building a custom Fedora 18 LiveCD. I want to have firewall disabled, so I placed: > firewall --disabled into the kickstart. That is supposed to call "firewall-offline-cmd --disabled", which it probably does, because I see the following in livecd-creator log: > Firewall was disabled, unable to convert to zone. > No changes to default zone needed. But when I boot the system, iptables-save (or iptables -L) contain dozens of lines, firewalld.service is running and firewall-cmd --state returns 0, therefore (I assume) firewall is running, it is not disabled. If I execute "firewall-offline-cmd --disabled" by hand, I see the usual output (as above), but nothing changes. If I stop firewalld.service by hand, the iptables output is finally empty. I assume the command to disable firewall is not working properly. Version-Release number of selected component (if applicable): firewalld-0.2.12-3.fc18.noarch How reproducible: always Steps to Reproduce: 1. build a kickstart with firewall --disabled 2. boot the image and see whether firewalld is disabled 3. or just boot a default F18 LiveCD and execute "firewall-offline-cmd --disabled" Actual results: iptables is full of rules, firewalld.service is running Expected results: iptables output is empty, firewalld.service is not running
Created attachment 710112 [details] iptables output after booting a system with firewall --disabled
The command used by anaconda to disable the firewall does not work. Program log has: 09:21:59,552 INFO program: Running... /usr/bin/firewall-offline-cmd --disabled --service=ssh 09:22:00,719 INFO program: Firewall was disabled, unable to convert to zone. 09:22:00,719 INFO program: No changes to default zone needed. Perhaps the anaconda folks and the firewalld folks can talk to each other and figured out what is needed to make this work. Still present in F19 Beta RC2.
Try using services --disabled=firewalld The firewall command controls firewalld, services controls the service. If you think firewall-offline-cmd --disabled should turn off the service open up a bug with firewalld.
Brian, http://fedoraproject.org/wiki/Anaconda/Kickstart#firewall says: > -disabled or --disable > Do not configure any iptables rules. But there are hundreds of iptables rules in the installed system. I don't know if they actually do something, or they are zone definitions or whatnot, but they are there. The documentation should probably be adjusted. Reassigning back to firewalld, because we need some information how this is supposed to work. Whether disabled firewall means a disabled service, or a running service that doesn't block anything.
From https://fedoraproject.org/wiki/Anaconda/Kickstart#firewall : firewall This option corresponds to the Firewall Configuration screen in the installation program: firewall --enabled|--disabled <device> [options] --disabled or --disable Do not configure any iptables rules. So, I expect that with "firewall --disabled" I end up with a system without an active firewall. Currently, I get an active firewall that only allows some default traffic.
(In reply to Brian C. Lane from comment #3) > Try using services --disabled=firewalld > > The firewall command controls firewalld, services controls the service. > > If you think firewall-offline-cmd --disabled should turn off the service > open up a bug with firewalld. I see this on Fedora 19: # firewall-offline-cmd --disabled rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service' rm '/etc/systemd/system/basic.target.wants/firewalld.service' ln -s '/dev/null' '/etc/systemd/system/firewalld.service' Opening default zone 'public' which masks the firewalld service.
I believe this can be closed as fixed - the fact firewall-offline-command --disabled is currently masking the service as well as disabling it is a separate issue.
Fixed in firewalld-0.3.4 and later.