1

I maintain some scripts to set up servers and I have noticed setting up new machines from 1503 to 1511 that with my particular kickstart configuration that the firewall behavior is quite different. Note: my ks.cfg has had NO firewall statement until now.

In 1503 iptables didnt exist and we had to use firewalld to configure the firewall. the firewall had to be explicitly updated to open certain ports.

On 1511 firewalld is nowhere to be found but iptables does work. It by default allows the ports. For example I do not need to open port 80 or 9000.

I currently use these servers for development purposes so not having to manually open my ports for my web apps is less work for me but clearly this is a big difference in default behavior from a security standpoint.

Is this something that is actually real that I have found here, or is this impossible and thus a consequence of some configuration misstep on my part? I have found no reference to firewalls in the 1511 release notes.

Steven Lu
  • 268
  • I get firewalld on a minimal installation. So I think your premise is wrong: You more likely have a problem with your kickstart. – Michael Hampton Feb 02 '16 at 02:27
  • I will try it again soon and specify the firewall in the kickstart and see what happens. – Steven Lu Feb 02 '16 at 02:28
  • 1
    From my testing, firewalld is installing on a minimal installation when I install from the 'Everything' ISO. It is NOT installed when installed using the 'Minimal' ISO. A quick test install of each had these packages that were missing from the pure 'minimal' ISO install: ebtables, firewalld, iwl7265-firmware, jansson, libselinux-python, libsysfs, libteam, NetworkManager-team, python-slip, python-slip-dbus, rdma, and teamd. On the pure minimal ISO install, it has NetworkManager-wifi installed while the Everything minimal does not. Run yum install firewalld or add to kickstart. –  Feb 02 '16 at 03:02
  • @yoonix this is interesting. Well maybe something just changed from 1503 -> 1511? I have been using the minimal ISO for both. – Steven Lu Feb 02 '16 at 03:03
  • Yep, firewalld gets installed fine using the 1503 minimal (just verified). Sounds like someone done goofed making the 1511 minimal ISO. –  Feb 02 '16 at 03:12
  • i wonder if its just some configuration file list that has changed and is now missing it or maybe someone had it taken out because they prefer it better the old way or something – Steven Lu Feb 02 '16 at 03:36
  • Using NetInstall + kickstart and --nobase --nocore with @core --nodefaults I still have to explicitly exclude firewalld or it gets installed. I have not tested installing from the Minimal ISO however. – Aaron Feb 02 '16 at 04:30
  • I made a note and will re-attempt a minimal install with the --firewall flag and see what it does – Steven Lu Feb 02 '16 at 04:31
  • I got around to running a new build with 1511 with the --firewall flag in my ks.cfg. firewalld does get installed. Now I will use the same environment to try again, but without that flag. This should verify that as long as I include the --firewall flag that I can rely on firewalld to show up... – Steven Lu Feb 04 '16 at 20:55
  • Sorry, the flag is firewall --enabled, not --firewall, my bad – Steven Lu Feb 04 '16 at 20:58
  • @yoonix The CentOS "minimal ISO" has a fixed and somewhat different package set than the "minimal installation". This was also true in C6. If you're expecting to be able to use a kickstart or to choose particular packages to install, you should not use the minimal ISO. – Michael Hampton Feb 04 '16 at 21:35
  • That doesn't explain firewalld vanishing from a minimal ISO between 1503 and 1511. The minimal ISO was used in both tests. If I'm using kickstart, I'm booting off the network. ;) –  Feb 06 '16 at 05:45
  • @MichaelHampton That sounds... not right. I can easily adjust my required packages for the kickstart to limit to items found only on the minimal ISO, and once the install boots, it's dead in the water (as far as I'm concerned for self update and orchestration purposes) without internet and it can get itself up to speed with no problems. Note that when firewall --enabled is specified, firewalld finds itself to be installed. The only curious bit is why without that flag specified it's nowhere to be seen... At any rate, no biggie so far since the firewall flag fixes it. – Steven Lu Feb 06 '16 at 09:13

1 Answers1

3

I have just confirmed that (apparently) starting in the Centos 7.2 1511 build, you must specify firewall --enabled inside the kickstart config -- if you do not, firewalld may not get installed:

[root@equuleus1 ~]# firewall-cmd
-bash: firewall-cmd: command not found

Note also since I am only testing and using the minimal ISO install this behavior may very well be limited to that one.

Steven Lu
  • 268