Douglas McClendon wrote:
Douglas McClendon wrote:
Anybody care to explain to me the logic of the file
/etc/sysconfig/system-config-firewall
which makes my kickstart and/or lokkit invocations not be respected?
I.e. port 22 remains open even if I do
lokkit --enabled
(or just firewall --enabled in kickstart)
It seems like if anything lokkit should be writing this file, not
reading one installed by an rpm. But maybe I just need a clue. ???
Bahh, I still need a clue, but I'm suspecting now that something did
write to that file and it doesn't have 22 in it as installed. But
having seen but not read the thread here about packages opening up ports
in the firewall rules, I did do rpm -q --scripts openssh-server and
didn't see IT doing anything that would write to that file. clue
please...???
Basic issue: I do a kickstart install with
firewall --enabled
NOT
firewall --enabled --port=22:tcp
and I still see port 22 open, and the only clue I've found is that if I
delete the contents of /etc/sysconfig/system-config-firewall, then I can
actually get 22 closed via 'lokkit --enabled' which seems to be the
appropriate way. (though it seems like it should work without having to
muck with the sysconfig file)
I'm not sure how /etc/sysconfig/system-config-firewall is /actually/
related to iptables (or -the service- /etc/sysconfig/iptables if you
will), other then providing a set of defaults for the s-c-f application
itself (firstboot uses it too maybe?).
I agree with you though firewall --enabled should lock down the box, and
not have a sneaky --port=22:tcp, but I don't know how (other then %post)
and I don't know if it's related to /etc/sysconfig/s-c-f
Just my $0.02
Kind regards,
Jeroen van Meeuwen
-kanarip
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
