[Fedora-spins] [spin-kickstarts/f20] by popular demand, disable the iptables firewall entirely.

Matthew Miller mattdm at fedoraproject.org
Mon Dec 9 19:56:28 UTC 2013 

commit ba05c3ed084541dfbd0e2efc80ba4817df55c8f2
Author: Matthew Miller <mattdm at mattdm.org>
Date:   Mon Nov 18 12:15:19 2013 -0500

    by popular demand, disable the iptables firewall entirely.
    
    (cherry picked from commit fe5b6843ac682b85726bd9da4af5fe9f00d7e074)

 fedora-cloud-base.ks |   32 ++------------------------------
 1 files changed, 2 insertions(+), 30 deletions(-)
---
diff --git a/fedora-cloud-base.ks b/fedora-cloud-base.ks
index 15e6b70..21b6473 100644
--- a/fedora-cloud-base.ks
+++ b/fedora-cloud-base.ks
@@ -19,14 +19,12 @@ auth --useshadow --enablemd5
 selinux --enforcing
 rootpw --lock --iscrypted locked
 
-# this is actually not used, but a static firewall
-# matching these rules is generated below.
-firewall --service=ssh
+firewall --disabled
 
 bootloader --timeout=1 --append="console=ttyS0,115200n8 console=tty0" extlinux
 
 network --bootproto=dhcp --device=eth0 --onboot=on
-services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final
+services --enabled=network,sshd,rsyslog,cloud-init,cloud-init-local,cloud-config,cloud-final
 
 
 zerombr
@@ -63,10 +61,6 @@ syslinux-extlinux
 # Needed initially, but removed below.
 firewalld
 
-# Basic firewall. If you're going to rely on your cloud service's
-# security groups you can remove this.
-iptables-services
-
 # cherry-pick a few things from @standard
 tar
 rsync
@@ -135,28 +129,6 @@ yum -C -y remove linux-firmware
 echo "Removing firewalld."
 yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1"
 
-# Non-firewalld-firewall
-echo -n "Writing static firewall"
-cat <<EOF > /etc/sysconfig/iptables
-# Simple static firewall loaded by iptables.service. Replace
-# this with your own custom rules, run lokkit, or switch to 
-# shorewall or firewalld as your needs dictate.
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
-EOF
-echo .
-
 # Another one needed at install time but not after that, and it pulls
 # in some unneeded deps (like, newt and slang)
 echo "Removing authconfig."

More information about the spins mailing list