[Fedora-livecd-list] Is it possible to configure the firewall in %post?
James Heather
j.heather at surrey.ac.uk
Thu Jun 30 09:05:32 UTC 2011
It does also depend on how much control you want. If it's a case of
enabling access to particular services, you can do it with
firewall --enabled --service=mdns
in your kickstart. That line appears in fedora-live-base.ks. I don't
know if you can put specific ports and protocols in there. (There isn't
any documentation that I've been able to find on the detailed syntax of
kickstart files. Maybe I missed it.)
James
On Thu, 2011-06-30 at 09:18 +0100, Mads Kiilerich wrote:
> On 06/30/2011 03:39 AM, Aaron Cohen wrote:
> > I'm trying to configure a firewall for my livecd. Currently, I'm
> > calling lokkit in %post, though I've also tried using iptables and
> > iptables-save. Unfortunately, no matter what I try, my configuration
> > seems to be discarded.
> >
> > As far as I can tell, "lokkit" is run after the post scripts, to
> > enable or disable selinux. This seems to recreate
> > /etc/sysconfig/iptables and move my changes to
> > /etc/sysconfig/iptables.old.
> >
> > My understanding is that "lokkit --selinux=enforcing" is not supposed
> > to do anything other than enable selinux, but it definitely seems to
> > also discard firewall configuration in my testing.
> >
> > Is this intended?
>
> If I remember correctly my preferred workaround is to avoid including
> system-config-firewall* in the live image. It is a dependency from
> anaconda, so you might have to break something there.
>
> SE can be enabled "manually" with "echo SELINUX=enabled >
> /etc/selinux/config", but I think that is the default anyway.
>
> /Mads
> --
> livecd mailing list
> livecd at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/livecd
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/livecd/attachments/20110630/fc3e2d37/attachment.html
More information about the livecd
mailing list