I'm trying to configure a firewall for my livecd. Currently, I'm calling lokkit in %post, though I've also tried using iptables and iptables-save. Unfortunately, no matter what I try, my configuration seems to be discarded.
As far as I can tell, "lokkit" is run after the post scripts, to enable or disable selinux. This seems to recreate /etc/sysconfig/iptables and move my changes to /etc/sysconfig/iptables.old.
My understanding is that "lokkit --selinux=enforcing" is not supposed to do anything other than enable selinux, but it definitely seems to also discard firewall configuration in my testing.
Is this intended?
Thanks, Aaron
On Wed, Jun 29, 2011 at 21:39:16 -0400, Aaron Cohen aaron@assonance.org wrote:
I'm trying to configure a firewall for my livecd. Currently, I'm calling lokkit in %post, though I've also tried using iptables and iptables-save. Unfortunately, no matter what I try, my configuration seems to be discarded.
Depending how you do it, you may want to added the commands to the livesys script. If you don't do it that way, you'd probably want to try doing a service iptables save in post. But I don't know if that would even work correctly in a chroot environment.
On 06/30/2011 03:39 AM, Aaron Cohen wrote:
I'm trying to configure a firewall for my livecd. Currently, I'm calling lokkit in %post, though I've also tried using iptables and iptables-save. Unfortunately, no matter what I try, my configuration seems to be discarded.
As far as I can tell, "lokkit" is run after the post scripts, to enable or disable selinux. This seems to recreate /etc/sysconfig/iptables and move my changes to /etc/sysconfig/iptables.old.
My understanding is that "lokkit --selinux=enforcing" is not supposed to do anything other than enable selinux, but it definitely seems to also discard firewall configuration in my testing.
Is this intended?
If I remember correctly my preferred workaround is to avoid including system-config-firewall* in the live image. It is a dependency from anaconda, so you might have to break something there.
SE can be enabled "manually" with "echo SELINUX=enabled > /etc/selinux/config", but I think that is the default anyway.
/Mads
It does also depend on how much control you want. If it's a case of enabling access to particular services, you can do it with
firewall --enabled --service=mdns
in your kickstart. That line appears in fedora-live-base.ks. I don't know if you can put specific ports and protocols in there. (There isn't any documentation that I've been able to find on the detailed syntax of kickstart files. Maybe I missed it.)
James
On Thu, 2011-06-30 at 09:18 +0100, Mads Kiilerich wrote:
On 06/30/2011 03:39 AM, Aaron Cohen wrote:
I'm trying to configure a firewall for my livecd. Currently, I'm calling lokkit in %post, though I've also tried using iptables and iptables-save. Unfortunately, no matter what I try, my configuration seems to be discarded.
As far as I can tell, "lokkit" is run after the post scripts, to enable or disable selinux. This seems to recreate /etc/sysconfig/iptables and move my changes to /etc/sysconfig/iptables.old.
My understanding is that "lokkit --selinux=enforcing" is not supposed to do anything other than enable selinux, but it definitely seems to also discard firewall configuration in my testing.
Is this intended?
If I remember correctly my preferred workaround is to avoid including system-config-firewall* in the live image. It is a dependency from anaconda, so you might have to break something there.
SE can be enabled "manually" with "echo SELINUX=enabled > /etc/selinux/config", but I think that is the default anyway.
/Mads
livecd mailing list livecd@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/livecd
On Thu, Jun 30, 2011 at 11:05 AM, James Heather j.heather@surrey.ac.uk wrote:
It does also depend on how much control you want. If it's a case of enabling access to particular services, you can do it with
firewall --enabled --service=mdns
in your kickstart. That line appears in fedora-live-base.ks. I don't know if you can put specific ports and protocols in there. (There isn't any documentation that I've been able to find on the detailed syntax of kickstart files. Maybe I missed it.)
RTFS is the ultimate documentation: http://git.fedorahosted.org/git/?p=pykickstart.git;a=blob;f=pykickstart/comm...
On Thu, Jun 30, 2011 at 7:40 AM, Alan Pevec apevec@gmail.com wrote:
On Thu, Jun 30, 2011 at 11:05 AM, James Heather j.heather@surrey.ac.uk wrote:
It does also depend on how much control you want. If it's a case of enabling access to particular services, you can do it with
firewall --enabled --service=mdns
in your kickstart. That line appears in fedora-live-base.ks. I don't know if you can put specific ports and protocols in there. (There isn't any documentation that I've been able to find on the detailed syntax of kickstart files. Maybe I missed it.)
RTFS is the ultimate documentation: http://git.fedorahosted.org/git/?p=pykickstart.git;a=blob;f=pykickstart/comm...
I don't believe this actually works.
On more investigation, the problem is definitely in /usr/lib/python2.7/site-packages/imgcreate/kickstart.py, line 557: args = ["/usr/sbin/lokkit", "-f", "--quiet", "--nostart"]
This will cause "SelinuxConfig" to always completely reinitialize the firewall configuration. lokkit apparently reinitializes the firewall unless "--selinux" is the only command line option.
I'm suspicious that no one else has noticed this, it makes the "firewall" kickstart option and any attempt to configure the firewall manually in %post all useless unless I'm misunderstanding something.
Am I just doing something wrong?
This is all using livecd-tools from Fedora 15, for what it's worth.
--Aaron
RTFS is the ultimate documentation: http://git.fedorahosted.org/git/?p=pykickstart.git;a=blob;f=pykickstart/comm...
RTFS is for school kids. Real men reverse engineer the binary.
James
livecd@lists.fedoraproject.org
-
Aaron Cohen -
Alan Pevec -
Bruno Wolff III -
James Heather -
Mads Kiilerich