<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/4.0.1">
</HEAD>
<BODY>
It does also depend on how much control you want. If it's a case of enabling access to particular services, you can do it with<BR>
<BR>
firewall --enabled --service=mdns<BR>
<BR>
in your kickstart. That line appears in fedora-live-base.ks. I don't know if you can put specific ports and protocols in there. (There isn't any documentation that I've been able to find on the detailed syntax of kickstart files. Maybe I missed it.)<BR>
<BR>
James<BR>
<BR>
On Thu, 2011-06-30 at 09:18 +0100, Mads Kiilerich wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
On 06/30/2011 03:39 AM, Aaron Cohen wrote:
> I'm trying to configure a firewall for my livecd. Currently, I'm
> calling lokkit in %post, though I've also tried using iptables and
> iptables-save. Unfortunately, no matter what I try, my configuration
> seems to be discarded.
>
> As far as I can tell, "lokkit" is run after the post scripts, to
> enable or disable selinux. This seems to recreate
> /etc/sysconfig/iptables and move my changes to
> /etc/sysconfig/iptables.old.
>
> My understanding is that "lokkit --selinux=enforcing" is not supposed
> to do anything other than enable selinux, but it definitely seems to
> also discard firewall configuration in my testing.
>
> Is this intended?
If I remember correctly my preferred workaround is to avoid including
system-config-firewall* in the live image. It is a dependency from
anaconda, so you might have to break something there.
SE can be enabled "manually" with "echo SELINUX=enabled >
/etc/selinux/config", but I think that is the default anyway.
/Mads
--
livecd mailing list
<A HREF="mailto:livecd@lists.fedoraproject.org">livecd@lists.fedoraproject.org</A>
<A HREF="https://admin.fedoraproject.org/mailman/listinfo/livecd">https://admin.fedoraproject.org/mailman/listinfo/livecd</A>
</PRE>
</BLOCKQUOTE>
<BR>
</BODY>
</HTML>