[Freeipa-devel] Ticket #1107 - firewall troubles

Martin Kosek mkosek at redhat.com
Fri May 20 07:36:51 UTC 2011 

On Thu, 2011-05-19 at 16:41 -0400, Simo Sorce wrote:
> On Thu, 2011-05-19 at 21:54 +0200, Martin Kosek wrote:
> > Hello,
> > 
> > I am working on ticket #1107 and I am looking for some ideas hot to deal
> > with it.
> > 
> > The problem is that when we are installing a replica and have firewall
> > on, the installation may fail or (even worse) hang. There question is
> > how to deal with this situation since we cannot test if the ports are
> > not blocked locally. It must be done from the remote master.
> > 
> > I discussed this with Rob and I see two solutions here:
> > 
> > 1) Don't complicate this and limit our user handholding (my favorite) -
> > just tell him what ports he should open before proceeding with the
> > installation. If he doesn't, the installation will fail later. The
> > problem is when the installation hangs - its hard to detect. This is the
> > easy way.
> > 
> > 2) Implement and register a mod_wsgi application on a master server and
> > let it test remotely if the ports on the replica are open. We would have
> > to open and listen them in ipa-replica-install as we cannot tell if port
> > is not-yet-opened or firewalled just from the network error code. If the
> > application would report a firewalled port, we would throw an error in
> > the ipa-replica-install.
> > 
> > However, as Rob pointed out, it would open a possible security hole as
> > we would basically behave as port scanner.
> 
> It may also create SELinux issues as I think apache is not allowed to
> contact random ports normally.
> 
> > Any opinions, suggestions, ideas on this?
> 
> I think a much better solution is to create a simple program pair one
> for the master and one for the wannabe replica.
> 
> The one on the replica opens all relevant ports.
> The one to be run on the master tries to connect to all these ports.
> Each side will report port,service name,success/failure

So you are saying this program would be optional and user could run it
if he would be unsure if firewall setting is OK? Like running for
example:

$ ipa-replica-check-connection --on-replica

on the replica which would listen on our set of ports (and as Jakub
said, it may be secured by SELinux policy) and then he would run

$ ipa-replica-check-connection --on-master

on the master server which would test the ports and print a result.

> 
> Bonus points if we create the replica program so that it can use admin
> credentials to ssh into the master and run the master side automatically
> properly merging the output of that side.

I am not sure if we can count on having admin credentials for ssh or
even ssh connection at all.

Martin

More information about the Freeipa-devel mailing list