I'm trying to configure a firewall for my livecd. Currently, I'm calling lokkit in %post, though I've also tried using iptables and iptables-save. Unfortunately, no matter what I try, my configuration seems to be discarded.

On 06/30/2011 03:39 AM, Aaron Cohen wrote: > I'm trying to configure a firewall for my livecd. Currently, I'm > calling lokkit in %post, though I've also tried using iptables and > iptables-save. Unfortunately, no matter what I try, my configuration > seems to be discarded. > > As far as I can tell, "lokkit" is run after the post scripts, to > enable or disable selinux. This seems to recreate > /etc/sysconfig/iptables and move my changes to > /etc/sysconfig/iptables.old. > > My understanding is that "lokkit --selinux=enforcing" is not supposed > to do anything other than enable selinux, but it definitely seems to > also discard firewall configuration in my testing. > > Is this intended? If I remember correctly my preferred workaround is to avoid including system-config-firewall* in the live image. It is a dependency from anaconda, so you might have to break something there. SE can be enabled "manually" with "echo SELINUX=enabled > /etc/selinux/config", but I think that is the default anyway. /Mads -- livecd mailing list livecd(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/livecd

On Thu, Jun 30, 2011 at 11:05 AM, James Heather <j.heather(a)surrey.ac.uk&gt; wrote: > It does also depend on how much control you want. If it's a case of enabling > access to particular services, you can do it with > >     firewall --enabled --service=mdns > > in your kickstart. That line appears in fedora-live-base.ks. I don't know if > you can put specific ports and protocols in there. (There isn't any > documentation that I've been able to find on the detailed syntax of > kickstart files. Maybe I missed it.) RTFS is the ultimate documentation: http://git.fedorahosted.org/git/?p=pykickstart.git;a=blob;f=pykickstart/c...