On Wed, Feb 11, 2009 at 7:24 AM, John Summerfield < [email protected]> wrote:
> David Parsley wrote: > >> Hi all, >> >> Not too long ago I noticed what I thought was a surprising change in the >> default firewall for systems I kickstart. >> Despite just having 'firewall --enabled' in my kickstart, I found this >> rule >> in RH-Firewall-1-INPUT: >> -A -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT >> >> Why the heck is ssh globally open when I didn't specify it in my >> kickstart? >> I found that it was somewhat hard to modify the firewall in %post, so that >> now I dump a short script in /root that runs on the first boot and removes >> this (in favor of local rules). >> > > How are you installing? If you are using ssh at install time, having ssh > open later seems reasonable. Starting a VM remotely with a kickstart file and remote VNC display - no ssh in use. > > If interactive root logins are disabled (and I don't know whether they > are), and you choose good passwords, then I don't think you have cause to > panic. Not panicked, just bothered - it's easy enough to specify I want ssh open in the kickstart file if I want it, but I don't think that it should be open by default. But yeah, I disable root login via ssh in any event. > > You can tune it more elegantly your way in %post. That's also a good time > to install keys, if that's what you want. Do you know a way to readily tune the firewall in %post? The only reliable way I've found is to drop a script in /root that gets called in /etc/rc.local on the first boot. Regards, David -- David L. Parsley Manager of Network Services, Bridgewater College "If I have seen further, it is by standing on ye shoulders of giants" - Isaac Newton
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
