LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Red Hat (http://www.linuxquestions.org/questions/red-hat-31/)
-   -   RHEL7 firewalld. (http://www.linuxquestions.org/questions/red-hat-31/rhel7-firewalld-4175508117/)

dpu 06-15-2014 05:54 PM

RHEL7 firewalld.
 
I'm playing with the RHEL7 RC (I know the RHEL7 GA is there, but CentOS 7 is not) and I'm coming across some problems with firewalld.
I wanted to install the HAProxy package and set up the firewall configuration.
But there is no HAProxy/firewalld configuration, I had to create it myself!
In addition, I discovered that all the firewalld service configurations are in the firewalld package (they are stored in /usr/lib/firewalld/services) and not in each package: the HAProxy package should contain its own firewalld configuration but this is not the case!
Finally, there seems to be no SELinux contexts associated with these firewalld service configurations.
I have no idea how this behaves in case of SELinux relabel!
This is pretty strange!
Has anybody got some clue about this?

John VV 06-15-2014 05:58 PM

well rhel7 is so new that packages are not yet built

build from source and use rpmbuild to make a rpm

Quote:

Finally, there seems to be no SELinux contexts associated with these firewalld service configurations.
then as NORMAL
use "audit2allow" to make a rule

dpu 06-15-2014 06:04 PM

It's not only a practical problem, things don't seem to be correctly organized.

John VV 06-15-2014 07:08 PM

well it is a "release candidate" ( rc ) after all

Quote:

things don't seem to be correctly organized.
as in ....
how is it " not organized " ?

jensd 06-19-2014 05:48 AM

Maybe not what you're looking for but you can easily go back to iptables as follows:

yum install iptables-services

systemctl mask firewalld
systemctl enable iptables
systemctl enable ip6tables

systemctl stop firewalld
systemctl start iptables
systemctl start ip6tables

TB0ne 06-23-2014 10:12 AM

Quote:

Originally Posted by dpu (Post 5188586)
I'm playing with the RHEL7 RC (I know the RHEL7 GA is there, but CentOS 7 is not) and I'm coming across some problems with firewalld.
I wanted to install the HAProxy package and set up the firewall configuration. But there is no HAProxy/firewalld configuration, I had to create it myself!

Right...including a base configuration would tell everyone who had RHEL7 what is done for everyone else, and expose vulnerabilities. By making you create a configuration, the system winds up being more secure.
Quote:

In addition, I discovered that all the firewalld service configurations are in the firewalld package (they are stored in /usr/lib/firewalld/services) and not in each package: the HAProxy package should contain its own firewalld configuration but this is not the case! Finally, there seems to be no SELinux contexts associated with these firewalld service configurations. I have no idea how this behaves in case of SELinux relabel! This is pretty strange!
Has anybody got some clue about this?
Yes, Red Hat does. Did you check their knowledgebase?
http://rhelblog.redhat.com/2014/01/2...ment/#more-150
https://access.redhat.com/site/sites...,d.cWc&cad=rja
https://access.redhat.com/site/node/...y_Threats.html

Since you're using RHEL, you're also paying for support; have you contacted them with your questions, or read the release notes on RHEL7? As JohnVV said, it's only a release candidate, but given what they did (and why), it's a good thing. Should make things better, I think, except for people who just want to get a 'certification', since they sample test/questions won't match for a good while.


All times are GMT -5. The time now is 04:21 PM.