[Freeipa-devel] Ipa-server-install Firewall Support

Rob Crittenden rcritten at redhat.com
Mon Apr 7 13:00:59 UTC 2014


Simo Sorce wrote:
> On Fri, 2014-04-04 at 09:59 +0200, Petr Spacek wrote:
>> On 4.4.2014 09:17, Martin Kosek wrote:
>>> On 04/04/2014 09:04 AM, Justin Brown wrote:
>>>>> I would actually do it the opposite way and open the ports after the FreeIPA server is fully configured. After all, I do not think we want to open the ports when the server is just half-configured and for example some ACIs are missing.
>>>>
>>>> My thinking was that nothing would be listening on these ports if the
>>>> install doesn't succeed, but there's really necessity to modify the
>>>> firewall configuration early. (All of the internal install
>>>> communication will be over a local interface (to netfilter) and
>>>> unblock anyways. I don't have any problem in delaying firewall
>>>> configuration to the end of install.
>>>
>>> If ipa-server-install does succeed without configuring the firewalld, then we
>>> will indeed have no other option than to do it early.
>>>
>>> I am  thinking that we may want to put all the firewalld configuration in
>>> ipaserver/install/firewalldinstance.py,
>>> and then make the firewalld configuration the actual step of the installation.
>>> Something like:
>>>
>>> ...
>>> Configuring Firewall (firewalld)
>>>     [1/2]: looking up the right zone
>>>     [2/2]: allowing ports
>>> Done configuring Firewall (firewalld).
>>> ...
>>>
>>> The Service class derived object can be really simple, we would just reuse the
>>> functionality it already has + let us properly hook into it in
>>> ipa-{server,replica}-install and the uninstallation.
>>>
>>> It would also make it easier to split this functionality to
>>> freeipa-server-firewalld if we chose to in a future.
>>
>> In general I agree with the idea, thank you Justin for working on that!
>>
>> I would like to emphasis the necessity to work without NetworkManager and
>> FirewallD. New dependencies make Debian folks unhappy ...
>>
>> On the other hand, it is perfectly fine to skip firewall configuration if
>> NM/FirewallD/DBus is not available.
>>
>> Have a nice day!
>
> Should be easy, probe for the dbus firewalld service and just skip (not
> error out) if it is not there.
> Set a variable in that case that will cause the installer to throw the
> classic banner we have now which warns you about what ports need to be
> opened at the end of the install.

Probably just need to spit out a large, preferably flashing warning that 
the firewall has not been automatically configured. Perhaps even 
multiple times: one in-line and one at the install summary at the end.

rob




More information about the Freeipa-devel mailing list