gripe/question: /etc/sysconfig/system-config-firewall???

Jeroen van Meeuwen kanarip at kanarip.com
Mon Dec 31 14:27:30 UTC 2007


Douglas McClendon wrote:
> Douglas McClendon wrote:
>> Anybody care to explain to me the logic of the file
>>
>> /etc/sysconfig/system-config-firewall
>>
>> which makes my kickstart and/or lokkit invocations not be respected?
>>
>> I.e. port 22 remains open even if I do
>>
>> lokkit --enabled
>>
>> (or just firewall --enabled in kickstart)
>>
>> It seems like if anything lokkit should be writing this file, not 
>> reading one installed by an rpm.  But maybe I just need a clue.  ???
> 
> Bahh, I still need a clue, but I'm suspecting now that something did 
> write to that file and it doesn't have 22 in it as installed.  But 
> having seen but not read the thread here about packages opening up ports 
> in the firewall rules, I did do rpm -q --scripts openssh-server and 
> didn't see IT doing anything that would write to that file.  clue 
> please...???
> 
> Basic issue: I do a kickstart install with
> 
> firewall --enabled
> 
> NOT
> 
> firewall --enabled --port=22:tcp
> 
> and I still see port 22 open, and the only clue I've found is that if I 
> delete the contents of /etc/sysconfig/system-config-firewall, then I can 
> actually get 22 closed via 'lokkit --enabled' which seems to be the 
> appropriate way.  (though it seems like it should work without having to 
> muck with the sysconfig file)
> 

I'm not sure how /etc/sysconfig/system-config-firewall is /actually/ 
related to iptables (or -the service- /etc/sysconfig/iptables if you 
will), other then providing a set of defaults for the s-c-f application 
itself (firstboot uses it too maybe?).

I agree with you though firewall --enabled should lock down the box, and 
not have a sneaky --port=22:tcp, but I don't know how (other then %post) 
and I don't know if it's related to /etc/sysconfig/s-c-f

Just my $0.02

Kind regards,

Jeroen van Meeuwen
-kanarip





More information about the fedora-devel-list mailing list