Anybody care to explain to me the logic of the file

/etc/sysconfig/system-config-firewall

which makes my kickstart and/or lokkit invocations not be respected?

I.e. port 22 remains open even if I do

lokkit --enabled

(or just firewall --enabled in kickstart)

It seems like if anything lokkit should be writing this file, not
reading one installed by an rpm. But maybe I just need a clue. ???


-dmc

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Douglas McClendon wrote:

Anybody care to explain to me the logic of the file

/etc/sysconfig/system-config-firewall

which makes my kickstart and/or lokkit invocations not be respected?

I.e. port 22 remains open even if I do

lokkit --enabled

(or just firewall --enabled in kickstart)

It seems like if anything lokkit should be writing this file, not
reading one installed by an rpm. But maybe I just need a clue. ???


Bahh, I still need a clue, but I'm suspecting now that something did
write to that file and it doesn't have 22 in it as installed. But
having seen but not read the thread here about packages opening up ports
in the firewall rules, I did do rpm -q --scripts openssh-server and
didn't see IT doing anything that would write to that file. clue
please...???


Basic issue: I do a kickstart install with

firewall --enabled

NOT

firewall --enabled --port=22:tcp

and I still see port 22 open, and the only clue I've found is that if I
delete the contents of /etc/sysconfig/system-config-firewall, then I can
actually get 22 closed via 'lokkit --enabled' which seems to be the
appropriate way. (though it seems like it should work without having to
muck with the sysconfig file)


-dmc

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Douglas McClendon wrote:

Douglas McClendon wrote:

Anybody care to explain to me the logic of the file

/etc/sysconfig/system-config-firewall

which makes my kickstart and/or lokkit invocations not be respected?

I.e. port 22 remains open even if I do

lokkit --enabled

(or just firewall --enabled in kickstart)

It seems like if anything lokkit should be writing this file, not
reading one installed by an rpm. But maybe I just need a clue. ???


Bahh, I still need a clue, but I'm suspecting now that something did
write to that file and it doesn't have 22 in it as installed. But
having seen but not read the thread here about packages opening up ports
in the firewall rules, I did do rpm -q --scripts openssh-server and
didn't see IT doing anything that would write to that file. clue
please...???


Basic issue: I do a kickstart install with

firewall --enabled

NOT

firewall --enabled --port=22:tcp

and I still see port 22 open, and the only clue I've found is that if I
delete the contents of /etc/sysconfig/system-config-firewall, then I can
actually get 22 closed via 'lokkit --enabled' which seems to be the
appropriate way. (though it seems like it should work without having to
muck with the sysconfig file)




I'm not sure how /etc/sysconfig/system-config-firewall is /actually/
related to iptables (or -the service- /etc/sysconfig/iptables if you
will), other then providing a set of defaults for the s-c-f application
itself (firstboot uses it too maybe?).


I agree with you though firewall --enabled should lock down the box, and
not have a sneaky --port=22:tcp, but I don't know how (other then %post)
and I don't know if it's related to /etc/sysconfig/s-c-f


Just my $0.02

Kind regards,

Jeroen van Meeuwen
-kanarip


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Douglas McClendon wrote:

Anybody care to explain to me the logic of the file

/etc/sysconfig/system-config-firewall

which makes my kickstart and/or lokkit invocations not be respected?

I.e. port 22 remains open even if I do

lokkit --enabled

(or just firewall --enabled in kickstart)

It seems like if anything lokkit should be writing this file, not
reading one installed by an rpm. But maybe I just need a clue. ???


-dmc

If you want to generate a new firewall configuration, you should use the
'-f' option. lokkit is modifying the actual settings as long as this
option is not given. Please have a look at the output of 'lokkit --help'.


/etc/sysconfig/system-config-firewall is the config file generated by
system-config-firewall, which replaces system-config-securitylevel since
F-8.


Thomas

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Thu Jan 10 04:15:05 2008
Return-path: <gentoo-dev+bounces-28808-tom=linux-archive.org@lists.gentoo.org>
Envelope-to: tom@linux-archive.org
Delivery-date: Thu, 10 Jan 2008 04:01:56 -0600
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
by server.java-tips.org with esmtp (Exim 4.68)
(envelope-from <gentoo-dev+bounces-28808-tom=linux-archive.org@lists.gentoo.org>)
id 1JCuEV-0000fn-Ad
for tom@linux-archive.org; Thu, 10 Jan 2008 04:01:55 -0600
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 4351CE0B94;
Thu, 10 Jan 2008 10:01:46 +0000 (UTC)
X-Original-To: gentoo-dev@lists.gentoo.org
Delivered-To: gentoo-dev@lists.gentoo.org
Received: from violet.upc.es (violet.upc.es [147.83.2.51])
by pigeon.gentoo.org (Postfix) with ESMTP id CE248E0B9E
for <gentoo-dev@lists.gentoo.org>; Thu, 10 Jan 2008 10:01:45 +0000 (UTC)
Received: from haydn.upc.es (haydn.upc.es [147.83.76.4])
by violet.upc.es (8.14.1/8.13.1) with ESMTP id m0AA1itu008510
for <gentoo-dev@lists.gentoo.org>; Thu, 10 Jan 2008 11:01:45 +0100
Received: from [147.83.76.87] (ender.upc.es [147.83.76.87])
by haydn.upc.es (Postfix) with ESMTP id 084216482A0
for <gentoo-dev@lists.gentoo.org>; Thu, 10 Jan 2008 11:01:39 +0100 (CET)
Message-ID: <4785ECF0.4040807@gentoo.org>
Date: Thu, 10 Jan 2008 11:01:20 +0100
From: =?UTF-8?B?Ikpvc8OpIEx1aXMgUml2ZXJvICh5b3N3aW5rKSI=?=
<yoswink@gentoo.org>
User-Agent: Thunderbird 2.0.0.9 (X11/20071031)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Projects and subproject status
References: <47829A4A.5000905@gentoo.org>
In-Reply-To: <47829A4A.5000905@gentoo.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
X-Mail-Scanned: Criba 2.0 + Clamd
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (violet.upc.es [147.83.2.51]); Thu, 10 Jan 2008 11:01:45 +0100 (CET)
Content-Transfer-Encoding: quoted-printable

Hi *:

Speaking for Gentoo/Alpha Arch Team (ferdy is the lead but I used to be=20
the status report guy):

Luca Barbato escribi=C3=B3:

=20
Are we fine?
=20


I would say: yes.

Reasons:
- General keywording is just fine.
- Security bugs are done in a reasonable period of time.
- We have a new and shiny developer machine.
- Kernel and toolchain are nearly up to date
(some bugs in latest versions, as usual).
- Arch Testing program has worked quite well.


=20
What are we going to do:
=20


- First of all, keep things working (this could sound easy but being=20
an alpha port ... you never knows).
- New developer (Tobias) is ready to join the forces. (bug #196948)
- First tests to bring java via gcj are done.
(http://www.nabble.com/Java-gcj-in-Gentoo-Alpha-to12131495.html)
- Look to create a binpkg repo.
- Continue the arch testing program and try to recruit fresh blood.

Alpha Arch Team provides 'regular' status report so historical info=20
about the port status can be found in our subproject page:
http://www.gentoo.org/proj/en/base/alpha/status/index.xml

That's all from the alpha world.
Enjoy.

--=20
Jose Luis Rivero <yoswink@gentoo.org>
Gentoo/Doc Gentoo/Alpha
--=20
gentoo-dev@lists.gentoo.org mailing list