commit ba05c3ed084541dfbd0e2efc80ba4817df55c8f2
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Mon Nov 18 12:15:19 2013 -0500
by popular demand, disable the iptables firewall entirely.
(cherry picked from commit fe5b6843ac682b85726bd9da4af5fe9f00d7e074)
fedora-cloud-base.ks | 32 ++------------------------------
1 files changed, 2 insertions(+), 30 deletions(-)
---
diff --git a/fedora-cloud-base.ks b/fedora-cloud-base.ks
index 15e6b70..21b6473 100644
--- a/fedora-cloud-base.ks
+++ b/fedora-cloud-base.ks
@@ -19,14 +19,12 @@ auth --useshadow --enablemd5
selinux --enforcing
rootpw --lock --iscrypted locked
-# this is actually not used, but a static firewall
-# matching these rules is generated below.
-firewall --service=ssh
+firewall --disabled
bootloader --timeout=1 --append="console=ttyS0,115200n8 console=tty0" extlinux
network --bootproto=dhcp --device=eth0 --onboot=on
-services
--enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final
+services
--enabled=network,sshd,rsyslog,cloud-init,cloud-init-local,cloud-config,cloud-final
zerombr
@@ -63,10 +61,6 @@ syslinux-extlinux
# Needed initially, but removed below.
firewalld
-# Basic firewall. If you're going to rely on your cloud service's
-# security groups you can remove this.
-iptables-services
-
# cherry-pick a few things from @standard
tar
rsync
@@ -135,28 +129,6 @@ yum -C -y remove linux-firmware
echo "Removing firewalld."
yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1"
-# Non-firewalld-firewall
-echo -n "Writing static firewall"
-cat <<EOF > /etc/sysconfig/iptables
-# Simple static firewall loaded by iptables.service. Replace
-# this with your own custom rules, run lokkit, or switch to
-# shorewall or firewalld as your needs dictate.
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
--A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
-COMMIT
-EOF
-echo .
-
# Another one needed at install time but not after that, and it pulls
# in some unneeded deps (like, newt and slang)
echo "Removing authconfig."
Show replies by date
On Mon, Dec 09, 2013 at 19:56:28 +0000,
Matthew Miller <mattdm(a)fedoraproject.org> wrote:
commit ba05c3ed084541dfbd0e2efc80ba4817df55c8f2
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Mon Nov 18 12:15:19 2013 -0500
by popular demand, disable the iptables firewall entirely.
Was there an FE or blocker bug for this stuff? If not it should have
waited until after we built the F20 gold image. (Don't revert now, since
that won't really undo the change. We'll either do a new spin-kickstarts
build or rel-eng will pull from a previous commit.)