[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv5-list] Kickstart firewall allowing global SSH by default?

David Parsley wrote:
Hi all,

Not too long ago I noticed what I thought was a surprising change in the
default firewall for systems I kickstart.
Despite just having 'firewall --enabled' in my kickstart, I found this rule
in RH-Firewall-1-INPUT:
-A -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Why the heck is ssh globally open when I didn't specify it in my kickstart?
I found that it was somewhat hard to modify the firewall in %post, so that
now I dump a short script in /root that runs on the first boot and removes
this (in favor of local rules).

How are you installing? If you are using ssh at install time, having ssh open later seems reasonable.

If interactive root logins are disabled (and I don't know whether they are), and you choose good passwords, then I don't think you have cause to panic.

You can tune it more elegantly your way in %post. That's also a good time to install keys, if that's what you want.



-- spambait
1aaaaaaa coco merseine nu  Z1aaaaaaa coco merseine nu
-- Advice

You cannot reply off-list:-)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]