[Freeipa-devel] Ticket #1107 - firewall troubles

Jakub Hrozek jhrozek at redhat.com
Fri May 20 06:36:15 UTC 2011 

On 05/19/2011 10:41 PM, Simo Sorce wrote:
> On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote:
>> Hello,
>>
>> I am working on ticket #1107 and I am looking for some ideas hot to deal
>> with it.
>>
>> The problem is that when we are installing a replica and have firewall
>> on, the installation may fail or (even worse) hang. There question is
>> how to deal with this situation since we cannot test if the ports are
>> not blocked locally. It must be done from the remote master.
>>
>> I discussed this with Rob and I see two solutions here:
>>
>> 1) Don't complicate this and limit our user handholding (my favorite) -
>> just tell him what ports he should open before proceeding with the
>> installation. If he doesn't, the installation will fail later. The
>> problem is when the installation hangs - its hard to detect. This is the
>> easy way.
>>
>> 2) Implement and register a mod_wsgi application on a master server and
>> let it test remotely if the ports on the replica are open. We would have
>> to open and listen them in ipa-replica-install as we cannot tell if port
>> is not-yet-opened or firewalled just from the network error code. If the
>> application would report a firewalled port, we would throw an error in
>> the ipa-replica-install.
>>
>> However, as Rob pointed out, it would open a possible security hole as
>> we would basically behave as port scanner.
> 
> It may also create SELinux issues as I think apache is not allowed to
> contact random ports normally.
> 
>> Any opinions, suggestions, ideas on this?
> 
> I think a much better solution is to create a simple program pair one
> for the master and one for the wannabe replica.
> 
> The one on the replica opens all relevant ports.
> The one to be run on the master tries to connect to all these ports.
> Each side will report port,service name,success/failure
> 
> Bonus points if we create the replica program so that it can use admin
> credentials to ssh into the master and run the master side automatically
> properly merging the output of that side.
> 

And even more bonus points if we write a simple SELinux policy that only
allows the listening program to just bind to the set of ports and
nothing else.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110520/2d8e564b/attachment.sig>

More information about the Freeipa-devel mailing list