Hello, This patch updates the iptables references to firewalld and links to the firewalld in the security guides for configuring ports.
Thanks, Gabe
From bed0669b2be86c1277f1dec65670087ab5f0148d Mon Sep 17 00:00:00 2001 From: Gabe <redhatri...@gmail.com> Date: Sun, 17 Aug 2014 20:12:00 -0600 Subject: [PATCH] [DOC] Update iptables sections to firewalld - Add conditional links to firewalld docs in Security Guide - Update iptables commands to firewalld commands --- src/user_guide/en-US/Installing.xml | 7 +-- src/user_guide/en-US/InstallingClients.xml | 7 +-- src/user_guide/en-US/Trust.xml | 98 +++++++++++++++--------------- 3 files changed, 54 insertions(+), 58 deletions(-) diff --git a/src/user_guide/en-US/Installing.xml b/src/user_guide/en-US/Installing.xml index 362c9161c96967cd7e469105ccceb64e755cba60..fd199a00190bb9e35fa760a6b6b34cc0918216c5 100644 --- a/src/user_guide/en-US/Installing.xml +++ b/src/user_guide/en-US/Installing.xml @@ -180,14 +180,13 @@ <section id="prereq-ports"><title>System Ports</title> <para> - &IPA; uses a number of ports to communicate with its services. These ports, listed in <xref linkend="tab.ipa-ports" />, must be open and available for &IPA; to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <command>iptables</command> to list the available ports or <command>nc</command>, <command>telnet</command>, or <command>nmap</command> to connect to a port or run a port scan. + &IPA; uses a number of ports to communicate with its services. These ports, listed in <xref linkend="tab.ipa-ports" />, must be open and available for &IPA; to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <command>firewall-cmd</command> to list the available ports or <command>nc</command>, <command>telnet</command>, or <command>nmap</command> to connect to a port or run a port scan. </para> <para> - To open a port: + To open a port, refer to the <ulink url="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html"; condition="redhat">Using Firewalls section in the Security Guide</ulink><ulink url="http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security_Guide-Using_Firewalls.html"; condition="fedora">Using Firewalls section in the Security Guide</ulink>. </para> -<screen>[root@server ~]# iptables -A INPUT -p tcp --dport 389 -j ACCEPT</screen> <para> - The <command>iptables</command> man page has more information on opening and closing ports on a system. + The <command>firewall-cmd</command> man page also has more information on opening and closing ports on a system. </para> <table id="tab.ipa-ports"><title>&IPA; Ports</title> <tgroup cols="3"> diff --git a/src/user_guide/en-US/InstallingClients.xml b/src/user_guide/en-US/InstallingClients.xml index 1665a6cc5071e652bcb5d8008a23e34eb26db9e8..a57a6e921b6432a57d44e07f6c50ce3bc628b519 100644 --- a/src/user_guide/en-US/InstallingClients.xml +++ b/src/user_guide/en-US/InstallingClients.xml @@ -162,14 +162,13 @@ example.com = EXAMPLE.COM <section id="prereq-ports-clients"><title>System Ports</title> <para> - &IPA; uses a number of ports to communicate with its services. These ports, listed in <xref linkend="tab.ipa-ports-client" />, must be open and available for &IPA; to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <command>iptables</command> to list the available ports or <command>nc</command>, <command>telnet</command>, or <command>nmap</command> to connect to a port or run a port scan. + &IPA; uses a number of ports to communicate with its services. These ports, listed in <xref linkend="tab.ipa-ports-client" />, must be open and available for &IPA; to work. They cannot be in use by another service or blocked by a firewall. To make sure that these ports are available, try <command>firewall-cmd</command> to list the available ports or <command>nc</command>, <command>telnet</command>, or <command>nmap</command> to connect to a port or run a port scan. </para> <para> - To open a port: + To open a port, refer to the <ulink url="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html"; condition="redhat">Using Firewalls in the Security Guide</ulink><ulink url="http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security_Guide-Using_Firewalls.html"; condition="fedora">Using Firewalls in the Security Guide</ulink>. </para> -<screen># iptables -A INPUT -p tcp --dport 389 -j ACCEPT</screen> <para> - The <command>iptables</command> man page has more information on opening and closing ports on a system. + The <command>firewall-cmd</command> man page also has more information on opening and closing ports on a system. </para> <table id="tab.ipa-ports-client"><title>&IPA; Ports</title> <tgroup cols="3"> diff --git a/src/user_guide/en-US/Trust.xml b/src/user_guide/en-US/Trust.xml index fa63952f387ca0336c8dccdc1d819e255127fb47..79c9382a9b2ba15abdd060f22707563d1a975558 100644 --- a/src/user_guide/en-US/Trust.xml +++ b/src/user_guide/en-US/Trust.xml @@ -727,9 +727,33 @@ uid=1921801107(jsm...@adexample.com) gid=1921801107(jsm...@adexample.com) groups </entry> <entry> UDP - </entry> - </row> - + </entry> + </row> + <row> + <entry> + Netbios + </entry> + <entry> + <simplelist> + <member>138</member> + <member>139</member> + </simplelist> + </entry> + <entry> + TCP + </entry> + </row> + <row> + <entry> + Microsoft Active Directory/SMB + </entry> + <entry> + 445 + </entry> + <entry> + TCP + </entry> + </row> </tbody> </tgroup> </table> @@ -738,66 +762,40 @@ uid=1921801107(jsm...@adexample.com) gid=1921801107(jsm...@adexample.com) groups The &IPA; backend LDAP server <emphasis>must not be reachable</emphasis> by the &AD; domain controller. The associated ports — 389 and 636 — on the &IPA; server host must be shut down for the &AD; domain controller. </para> </important> - <formalpara><title>Starting iptables at Boot Time</title> + <formalpara><title>Starting Firewalld at Boot Time</title> <para> - Configure the <command>iptables</command> service to start when the system boots: + Configure the <command>firewalld</command> service to start when the system boots: </para> </formalpara> - <screen>[root@ipaserver ]# chkconfig iptables on</screen> - <formalpara><title>Setting iptables Configuration</title> + <screen>[root@ipaserver ]# systemctl enable firewalld</screen> + <formalpara><title>Setting Firewalld Configuration</title> <para> - The <command>iptables</command> configuration needs to allow access to the required &IPA; ports and reject access to the &IPA; LDAP ports. The order of the rules is important. &AD;-based requests to LDAP ports must be blocked first (based on the &AD; server IP address), then there must be connections allowed to all &IPA; TCP adn UDP ports. + The <command>firewalld</command> configuration needs to allow access to the required &IPA; ports and reject access to the &IPA; LDAP ports. &AD;-based requests to LDAP ports must be blocked first (based on the &AD; server IP address), then there must be connections allowed to all &IPA; TCP and UDP ports. </para> </formalpara> <orderedlist> <listitem> <para> - Open the <command>iptables</command> configuration file. + Add the rules to restrict access to LDAP ports for the &AD; host. </para> - <screen>[root@ipaserver ~]# vim /etc/sysconfig/iptables</screen> +<screen>[root@ipaserver ]# firewall-cmd --permanent --zone=<replaceable>zone_type</replaceable> --add-rich-rule='rule family="ipv4" source address="<replaceable>ad_ip_address</replaceable>" port port="389" protocol="tcp" reject' +[root@ipaserver ]# firewall-cmd --permanent --zone=<replaceable>zone_type</replaceable> --add-rich-rule='rule family="ipv4" source address="<replaceable>ad_ip_address</replaceable>" port port="636" protocol="tcp" reject'</screen> </listitem> <listitem> <para> - Add the rule to restrict access to LDAP ports for the &AD; host. + Make sure to allow access to the TCP and UDP ports required by &IPA; as defined in <xref linkend="trust-req-ports" />. </para> - <screen>-A INPUT -s <replaceable>ad_ip_address</replaceable> -p tcp -m multiport --dports 389,636 -m state --state NEW,ESTABLISHED -j REJECT</screen> - </listitem> - <listitem> <para> - Make sure that there lines to allow access to the TCP and UDP ports required by &IPA;. + To list open ports or to open a port, refer to the <ulink url="http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html"; condition="redhat">Using Firewalls section in the Security Guide</ulink><ulink url="http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security_Guide-Using_Firewalls.html"; condition="fedora">Using Firewalls section in the Security Guide</ulink>. </para> - <screen>-A INPUT -p tcp -m multiport --dports 80,443,389,636,88,464,53,138,139,445 -m state --state NEW,ESTABLISHED -j ACCEPT - -A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state NEW,ESTABLISHED -j ACCEPT</screen> </listitem> <listitem> <para> - Save the file. + Restart the <command>firewalld</command> service: </para> + <screen>[root@ipaserver ]# systemctl start firewalld</screen> </listitem> - <listitem> - <para> - Restart the <command>iptables</command> service: - </para> - <screen>[root@ipaserver ]# service iptables restart</screen> - </listitem> - </orderedlist> - <example><title>Example iptables Configuration File</title> -<screen>*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT --A INPUT -s <replaceable>ad_ip_address</replaceable> -p tcp -m multiport --dports 389,636 -m state --state NEW,ESTABLISHED -j REJECT --A INPUT -p tcp -m multiport --dports 80,443,389,636,88,464,53,138,139,445 -m state --state NEW,ESTABLISHED -j ACCEPT --A INPUT -p udp -m multiport --dports 88,464,53,123,138,139,389,445 -m state --state NEW,ESTABLISHED -j ACCEPT --A INPUT -p udp -j REJECT --A INPUT -p tcp -j REJECT --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT</screen> -</example> + </orderedlist> </section> <section id="trust-req-time"><title>Clock Settings</title> <para> @@ -866,9 +864,9 @@ COMMIT</screen> </listitem> <listitem> <para> - Stop <command>iptables</command> and <command>ip6tables</command> on the &IPA; server. + Stop <command>firewalld</command> on the &IPA; server. </para> - <screen>[root@ipaserver ]# service iptables stop</screen> + <screen>[root@ipaserver ]# systemctl stop firewalld</screen> </listitem> <listitem> <para> @@ -1191,9 +1189,9 @@ ldap_tls_cacert = /etc/ipa/ca.crt </listitem> <listitem> <para> - Restart the <command>iptables</command> and <command>ip6tables</command> services on the &IPA; server. + Restart the <command>firewalld</command> service on the &IPA; server. </para> - <screen>[root@ipaserver ]# service iptables start</screen> + <screen>[root@ipaserver ]# systemctl start firewalld</screen> </listitem> <listitem> <para> @@ -1213,9 +1211,9 @@ ldap_tls_cacert = /etc/ipa/ca.crt </listitem> <listitem> <para> - Stop <command>iptables</command> and <command>ip6tables</command> on the &IPA; server. + Stop <command>firewalld</command> on the &IPA; server. </para> - <screen>[root@ipaserver ]# service iptables stop</screen> + <screen>[root@ipaserver ]# systemctl stop firewalld</screen> </listitem> <listitem> <para> @@ -1544,9 +1542,9 @@ ldap_tls_cacert = /etc/ipa/ca.crt <listitem> <para> - Restart the <command>iptables</command> and <command>ip6tables</command> services on the &IPA; server. + Restart the <command>firewalld</command> service on the &IPA; server. </para> - <screen>[root@ipaserver ]# service iptables start</screen> + <screen>[root@ipaserver ]# systemctl start firewalld</screen> </listitem> <listitem> <para> -- 2.0.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
