gripe/question: /etc/sysconfig/system-config-firewall???
Jeroen van Meeuwen
kanarip at kanarip.com
Mon Dec 31 14:27:30 UTC 2007
Douglas McClendon wrote:
> Douglas McClendon wrote:
>> Anybody care to explain to me the logic of the file
>>
>> /etc/sysconfig/system-config-firewall
>>
>> which makes my kickstart and/or lokkit invocations not be respected?
>>
>> I.e. port 22 remains open even if I do
>>
>> lokkit --enabled
>>
>> (or just firewall --enabled in kickstart)
>>
>> It seems like if anything lokkit should be writing this file, not
>> reading one installed by an rpm. But maybe I just need a clue. ???
>
> Bahh, I still need a clue, but I'm suspecting now that something did
> write to that file and it doesn't have 22 in it as installed. But
> having seen but not read the thread here about packages opening up ports
> in the firewall rules, I did do rpm -q --scripts openssh-server and
> didn't see IT doing anything that would write to that file. clue
> please...???
>
> Basic issue: I do a kickstart install with
>
> firewall --enabled
>
> NOT
>
> firewall --enabled --port=22:tcp
>
> and I still see port 22 open, and the only clue I've found is that if I
> delete the contents of /etc/sysconfig/system-config-firewall, then I can
> actually get 22 closed via 'lokkit --enabled' which seems to be the
> appropriate way. (though it seems like it should work without having to
> muck with the sysconfig file)
>
I'm not sure how /etc/sysconfig/system-config-firewall is /actually/
related to iptables (or -the service- /etc/sysconfig/iptables if you
will), other then providing a set of defaults for the s-c-f application
itself (firstboot uses it too maybe?).
I agree with you though firewall --enabled should lock down the box, and
not have a sneaky --port=22:tcp, but I don't know how (other then %post)
and I don't know if it's related to /etc/sysconfig/s-c-f
Just my $0.02
Kind regards,
Jeroen van Meeuwen
-kanarip
More information about the fedora-devel-list
mailing list