Anybody care to explain to me the logic of the file
/etc/sysconfig/system-config-firewall
which makes my kickstart and/or lokkit invocations not be respected?
I.e. port 22 remains open even if I do
lokkit --enabled
(or just firewall --enabled in kickstart)
It seems like if anything lokkit should be writing this file, not reading one installed by an rpm. But maybe I just need a clue. ???
-dmc
Douglas McClendon wrote:
Anybody care to explain to me the logic of the file
/etc/sysconfig/system-config-firewall
which makes my kickstart and/or lokkit invocations not be respected?
I.e. port 22 remains open even if I do
lokkit --enabled
(or just firewall --enabled in kickstart)
It seems like if anything lokkit should be writing this file, not reading one installed by an rpm. But maybe I just need a clue. ???
Bahh, I still need a clue, but I'm suspecting now that something did write to that file and it doesn't have 22 in it as installed. But having seen but not read the thread here about packages opening up ports in the firewall rules, I did do rpm -q --scripts openssh-server and didn't see IT doing anything that would write to that file. clue please...???
Basic issue: I do a kickstart install with
firewall --enabled
NOT
firewall --enabled --port=22:tcp
and I still see port 22 open, and the only clue I've found is that if I delete the contents of /etc/sysconfig/system-config-firewall, then I can actually get 22 closed via 'lokkit --enabled' which seems to be the appropriate way. (though it seems like it should work without having to muck with the sysconfig file)
-dmc
Douglas McClendon wrote:
Douglas McClendon wrote:
Anybody care to explain to me the logic of the file
/etc/sysconfig/system-config-firewall
which makes my kickstart and/or lokkit invocations not be respected?
I.e. port 22 remains open even if I do
lokkit --enabled
(or just firewall --enabled in kickstart)
It seems like if anything lokkit should be writing this file, not reading one installed by an rpm. But maybe I just need a clue. ???
Bahh, I still need a clue, but I'm suspecting now that something did write to that file and it doesn't have 22 in it as installed. But having seen but not read the thread here about packages opening up ports in the firewall rules, I did do rpm -q --scripts openssh-server and didn't see IT doing anything that would write to that file. clue please...???
Basic issue: I do a kickstart install with
firewall --enabled
NOT
firewall --enabled --port=22:tcp
and I still see port 22 open, and the only clue I've found is that if I delete the contents of /etc/sysconfig/system-config-firewall, then I can actually get 22 closed via 'lokkit --enabled' which seems to be the appropriate way. (though it seems like it should work without having to muck with the sysconfig file)
I'm not sure how /etc/sysconfig/system-config-firewall is /actually/ related to iptables (or -the service- /etc/sysconfig/iptables if you will), other then providing a set of defaults for the s-c-f application itself (firstboot uses it too maybe?).
I agree with you though firewall --enabled should lock down the box, and not have a sneaky --port=22:tcp, but I don't know how (other then %post) and I don't know if it's related to /etc/sysconfig/s-c-f
Just my $0.02
Kind regards,
Jeroen van Meeuwen -kanarip
Douglas McClendon wrote:
Anybody care to explain to me the logic of the file
/etc/sysconfig/system-config-firewall
which makes my kickstart and/or lokkit invocations not be respected?
I.e. port 22 remains open even if I do
lokkit --enabled
(or just firewall --enabled in kickstart)
It seems like if anything lokkit should be writing this file, not reading one installed by an rpm. But maybe I just need a clue. ???
-dmc
If you want to generate a new firewall configuration, you should use the '-f' option. lokkit is modifying the actual settings as long as this option is not given. Please have a look at the output of 'lokkit --help'.
/etc/sysconfig/system-config-firewall is the config file generated by system-config-firewall, which replaces system-config-securitylevel since F-8.
Thomas
devel@lists.stg.fedoraproject.org