This discussion morphs out of some questions that I asked over on the user's mailing list: https://www.redhat.com/archives/freeipa-users/2014-April/msg00033.html. It's also related to Trac #2110. (The subject says ipa-server-install, but this will also apply to replica installs, too.)
What is the expected compatibility with RHEL 5 and 6? Neither of those comes with FirewallD. Integrating with iptables is bound to be messy, and I feel like there's too many ways to get into trouble with destroying a user's iptables configuration. (Due to the unsafety of `iptables-restore`, there's no way to guarantee that the user's configuration will persist through a reboot.) Seeing as FirewallD has been the default in Fedora since 18 and will be in RHEL 7, it seems like a reasonable thing to do. Would there be opposition to making FirewallD the only firewall that ipa-server-install will configure, and just print out iptables (or iptables-save fragments) for non-FirewallD systems? The implementation should be pretty simple and straightforward, but I wanted to run over it briefly to see if there were any initial feedback. First, there's a question of dependence. FirewallD exposes a DBus interface on the system bus. While it is possible to interact with shell commands, I would greatly prefer to make use of DBus directly. That will require pulling in python-dbus as a package dependency. Second, FirewallD operates on "zones" to which interfaces are attached. To apply any sort of configuration, we'll need to attach a freeipa-server FirewallD service to the proper zone. During the current installation program, we already know the server's IP address from a call to installutils.get_server_ip_address(). I'll need to resolve on which interface this IP resides, and then FirewallD can tell me which zone should be modified. It is possible to scrape the output of `ip address` to determine, but that's a messy solution. The better method is to use the NetworkManager DBus interfaces to query for this information. This gets back to my compatibility question above. Fedora doesn't really work without NetworkManager anymore, and I assume that will hold for RHEL 7. Third, do we want to allow the user to limit the network access? I think that it makes sense to allow users to specify a network (e.g. 192.168.0.0/16) to limit accessibility to their FreeIPA server. Yet, there's always some trade-off to adding more options to ipa-server-install. Fourth, FirewallD configuration is simple and quick, so I think it makes sense to get it out of the way early in the install process. I'm thinking right after ipaservices.backup_and_replace_hostname() (line 1,038) runs. Implementation Walkthrough ---------------------------------------- ~$ ipa-server-install --firewall --firewall-allow 192.168.0.0/24 --firewall-allow 192.168.1.0/24 [...] [skip to line 1038] 1. Detect if FirewallD is running via DBus. (If not generate sample iptables rules, print/log them, and continue normal install.) 2. Use NM DBus to resolve IP->interface. (If NM not available, potentially fallback to scrapping `ip a`.) 3. Use FirewallD DBus to resolve interface to zone. 4. FreeIPA will include a service XML template (like dsinstance.INF_TEMPLATE) that specifies the necessary ports/protocols. Write this service file to /etc/firewalld/services/. 5. If the user provided --firewall-allow args, generate rich rules based on the template, and add them to the proper zone. If not, the service is still added as a rich rule (for consistency and ease of uninstall). Thanks, Justin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
