> Not too long ago I noticed what I thought was a surprising change in > the default firewall for systems I kickstart. > Despite just having 'firewall --enabled' in my kickstart, I found > this rule in RH-Firewall-1-INPUT: > -A -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT > > Why the heck is ssh globally open when I didn't specify it in my > kickstart? I found that it was somewhat hard to modify the firewall > in %post, so that now I dump a short script in /root that runs on > the first boot and removes this (in favor of local rules).
I thought that if you run through the interactive install and enable the firewall then SSH is enabled by default, so then it would hold to reason that the kickstart would behave the same way. I've always used this to my advantage because that is my default behavior, but now that you mention it I do think its a bit odd that you can't disable it without disabling the whole firewall. I just skimmed through the pykickstart and anaconda code a bit and do not see how it gets set to default allow ssh, so I'm unsure of a better fix than yours. You might just file a bug against anaconda. > I did a little googling, and didn't see any reference to this, but I > find it alarming. Anybody else? If they don't change anaconda/kickstart it probably wouldn't hurt if it was actually documented properly since the doc specifically says "Reject incoming connections that are not in response to outbound requests..." -greg _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
