Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 118667 - Saying no to firewall is ignored.
Summary: Saying no to firewall is ignored.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel
Version: 2
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks: FC2Blocker
TreeView+ depends on / blocked
 
Reported: 2004-03-18 18:48 UTC by Dave Jones
Modified: 2015-01-04 22:05 UTC (History)
7 users (show)

Fixed In Version: 1.3.8-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-08 16:26:41 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
/etc/sysconfig/iptables from 'firewall --disabled' kickstart install (deleted)
2004-03-19 20:36 UTC, Mike McLean 		no flags Details
anaconds-ks.cfg (deleted)
2004-03-24 20:59 UTC, Ben Levenson 		no flags Details
View All

Description Dave Jones 2004-03-18 18:48:41 UTC 
Even though I chose not to install a firewall, and told it proceed
anyway without one, something decided I needed one anyway, so I
couldn't ssh into the box after installation unless I had done a
service iptables stop

Version-Release number of selected component (if applicable):


How reproducible:
This has happened before, though I thought it had gotten fixed already.
Comment 1 Jeremy Katz 2004-03-18 19:28:33 UTC 
I haven't seen this and I usually disable the firewall on my installs
:)  What sort of install did you do?  I need steps to be able to
reproduce.
Comment 2 Dave Jones 2004-03-19 11:38:55 UTC 
I booted yesterdays boot.iso for amd64, and did an nfs install.

Can't really think of any steps to follow other than 'say no to firewall'.
Comment 3 Mike McLean 2004-03-19 20:17:04 UTC 
Also observed in kickstart installs with 'firewall --disabled'.
Comment 4 Mike McLean 2004-03-19 20:19:19 UTC 
FWIW, the behavior seems to depend on which packages are installed. 
In particular, minimal installs do not have the unwanted firewall
rules in place and everything installs do.  

Maybe a package is doing this in %post?
Comment 5 Mike McLean 2004-03-19 20:36:37 UTC 
Created attachment 98694 [details]
/etc/sysconfig/iptables from 'firewall --disabled' kickstart install

I can't find anything in an package scripts that would do this.  Attaching the
offending iptables config.
Comment 6 Mike McLean 2004-03-19 20:44:26 UTC 
running /usr/bin/system-config-securitylevel-tui -qn --disabled gets
me the exact same /etc/sysconfig/iptables contents.  Reassigning bug.
Comment 7 Mike McLean 2004-03-19 21:39:05 UTC 
Brent, even with selinux in nonenforcing mode, running
'/usr/bin/system-config-securitylevel-tui -qn --disabled' yields the
same (nondisabled) firewall config.
Comment 8 Brent Fox 2004-03-19 22:17:12 UTC 
Looks like lokkit is ignoring the commandline options and is using
what's in the config file.  I think notting is looking at it.
Comment 9 Bill Nottingham 2004-03-19 22:34:47 UTC 
Fixed in 1.3.7-1.
Comment 10 Ben Levenson 2004-03-24 20:44:15 UTC 
I just installed from the latest tree. s-c-securitylevel-1.3.7-1 and
anaconda-9.91-6 are in the tree. I disabled the firewall during install
but I'm still firewalled out of the box.
Comment 11 Bill Nottingham 2004-03-24 20:45:39 UTC 
What's your anaconda-ks.cfg look like?
Comment 12 Ben Levenson 2004-03-24 20:59:35 UTC 
Created attachment 98837 [details]
anaconds-ks.cfg
Comment 14 Bill Nottingham 2004-03-24 21:24:46 UTC 
Fixed in 1.3.8-1.
Comment 15 Mike McLean 2004-03-24 21:35:26 UTC 
The command I gave above, '/usr/bin/system-config-securitylevel-tui
-qn --disabled', is working correctly in the installed system.  As is
'/usr/sbin/lokkit --quiet --nostart --disabled', which is the
invocation that anaconda uses.

Both these statements apply to version 1.3.7-1.
Comment 16 Mike McLean 2004-03-25 19:51:47 UTC 
Still seeing in -re0324.1
* system-config-securitylevel-tui-1.3.8-1.i386
* anaconda-9.91-6.i386

See above comment.  This could be anaconda.
Comment 18 Bill Nottingham 2004-04-07 20:54:52 UTC 
Does this work better in post-test2 trees?
Comment 19 Dave Jones 2004-04-08 11:32:59 UTC 
I'll try an install from todays tree later today.
Comment 20 Dave Jones 2004-04-08 16:23:22 UTC 
Looks fixed to me.
Note You need to log in before you can comment on or make changes to this bug.