ec2/fedora-18-x86_64-ec2.ks | 34 ++++++++++++++++++++++++++++------
generic/fedora-18-x86_64-cloud.ks | 6 +++---
generic/fedora-18-x86_64-minimal.ks | 6 +++---
generic/fedora-18-x86_64.ks | 6 +++---
4 files changed, 37 insertions(+), 15 deletions(-)
New commits:
commit a523dd89af2f889d9e7ad727ff721f3a410aea2e
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Sun Dec 30 14:47:48 2012 -0500
enable simple firewall even in ec2
diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks
index 5cd8544..8e33752 100644
--- a/ec2/fedora-18-x86_64-ec2.ks
+++ b/ec2/fedora-18-x86_64-ec2.ks
@@ -6,11 +6,6 @@
#
# Note that unlike the standard F18 install, this image has /tmp on disk
# rather than in tmpfs, since memory is usually at a premium.
-#
-# It additionally configures _no_ local firewall, in line with EC2
-# recommendations that security groups be used instead.
-
-
lang en_US.UTF-8
keyboard us
@@ -19,7 +14,9 @@ timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --enforcing
-firewall --disabled
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -46,6 +43,10 @@ cloud-init
# Needed initially, but removed below.
firewalld
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
# cherry-pick a few things from @standard
tmpwatch
tar
@@ -104,6 +105,27 @@ yum -C -y remove linux-firmware
echo "Removing firewalld."
yum -C -y remove firewalld
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
# Because memory is scarce resource in most cloud/virt environments,
# and because this impedes forensics, we are differing from the Fedora
commit cccfb527887d6c945e97ce5c19b2897a02ce19b0
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Sun Dec 30 14:38:36 2012 -0500
default to only ssh allowed by firewall (as per discussion on mailing list)
diff --git a/generic/fedora-18-x86_64-cloud.ks b/generic/fedora-18-x86_64-cloud.ks
index 7bc2884..468c690 100644
--- a/generic/fedora-18-x86_64-cloud.ks
+++ b/generic/fedora-18-x86_64-cloud.ks
@@ -17,7 +17,7 @@ selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
-firewall --service=ssh --service=http --service=https
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -124,8 +124,8 @@ cat <<EOF > /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
diff --git a/generic/fedora-18-x86_64-minimal.ks b/generic/fedora-18-x86_64-minimal.ks
index 71339a5..146477a 100644
--- a/generic/fedora-18-x86_64-minimal.ks
+++ b/generic/fedora-18-x86_64-minimal.ks
@@ -18,7 +18,7 @@ selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
-firewall --service=ssh --service=http --service=https
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -132,8 +132,8 @@ cat <<EOF > /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
diff --git a/generic/fedora-18-x86_64.ks b/generic/fedora-18-x86_64.ks
index 877f4ae..4f2d64d 100644
--- a/generic/fedora-18-x86_64.ks
+++ b/generic/fedora-18-x86_64.ks
@@ -12,7 +12,7 @@ selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
-firewall --service=ssh --service=http --service=https
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -118,8 +118,8 @@ cat <<EOF > /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT