Bug 17288 - Installer Summary --> services does not show shorewalls, security shows firewall disabled by default (also live mode of live isos)
Summary: Installer Summary --> services does not show shorewalls, security shows firew...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Installer (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on: 18509
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-04 15:48 CET by Dick Gevers
Modified: 2016-06-22 13:23 CEST (History)
1 user (show)

See Also:
Source RPM: drakx-installer-stage2, drakx-net
CVE:
Status comment:

Attachments
report.bug.xz (231.67 KB, application/octet-stream)
2016-03-09 19:47 CET, Dick Gevers 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Dick Gevers 2015-12-04 15:48:16 CET 
Description of problem:

Install from classical iso dated 29/11 and proceed to Summary screens.

* The services section does not show the shorewall(6) services

* The security part shows that the firewall is disabled by default.

* Even after changing it to "enabled" it keeps showing "disabled" on return to the summary.

AND

* After reboot the shorewall is running but:
systemctl status shorewall6.service shows it failed to start, "restart" does not work either 

On the other hand this is not surprising because /etc/shorewall6/zones is missing a line like  
quote
net   ipv6
unquote
which I do have in my running Cauldron
(Note: other files not inspected).



[ I do not know if this is supposed to be one bug or more, if more lemme know and tell what else is needed ]

Reproducible: 

Steps to Reproduce:
Dick Gevers 2015-12-04 15:48:27 CET

Whiteboard: (none) => 6dev1

Comment 1 Samuel Verschelde 2016-02-23 14:52:43 CET 
Hi, sorry for having overlooked this bug report. Do you still reproduce this bug with the latest ISO? If so, please attach the /root/drakx/report.bug.xz file produced by the installer after the installation is complete.

Keywords: (none) => NEEDINFO

Comment 2 Dick Gevers 2016-02-23 15:18:21 CET 
I will look for it with the next pre-release iso and report here
Comment 3 Dick Gevers 2016-03-09 17:25:50 CET 
Yes, iso of 07/03 there is no shorewall(6) in the Summary -> Services.

I will attach report.bug.xz later today.

Keywords: NEEDINFO => 6dev1
Source RPM: classical iso dated 29/11 => classical iso dated 07/03
Whiteboard: 6dev1 => (none)

Comment 4 Dick Gevers 2016-03-09 19:46:25 CET 
When accessing summary it proves also that the firewall is disabled by default, which is undesirable as it is a security risk.

When going into Summary --> Firewall it can be configured under 'Advanced" so I did. I take it this concerns the shorewalls, although that name is never shown.

I enabled them for eth0 and wlan0.

But after reboot shorewall runs and systemctl status shows shorewall6.service failed!

Moreover, when leaving the summary --> firewall section and going back to summary the summary still shows firewall as "disabled" !

I am attaching report.bug.xz
Comment 5 Dick Gevers 2016-03-09 19:47:32 CET 
Created attachment 7536 [details]
report.bug.xz
Comment 6 Dick Gevers 2016-03-09 20:09:54 CET 
Looking into the files "zones" under /etc/shorewall and /etc/shorewall6 explains the difference:

shorewall (4) ends with the lines
net          ipv4
fw           firewall

and is working okay

Whereas the shorewall6 file ends with the line *only*
fw           firewall

i.e. the line
net          ipv6

is missing and so this is why shorewall6 fails to run.
Comment 7 Dick Gevers 2016-03-12 12:21:37 CET 
Another part of the bug:

/etc/shorewall6/policy is virginal:
The last lines are missing which should read for example
fw     net    ACCEPT
net    all    DROP     info
all    all    REJECT   info

same as in /etc/shorewall/policy
Comment 8 Dick Gevers 2016-05-21 15:15:41 CEST 
Valid for 6sta1 classical iso of 20th May 2016.

Effectively this makes my sales pitch null and void that Linux is secure: with no firewall it is not. With firewall enabled there is no accessible internet.

I propose this needs to be release blocker by the time we get to final release of M6.

Keywords: 6dev1 => 6sta1
Hardware: i586 => All

Comment 9 Dick Gevers 2016-05-22 16:45:29 CEST 
Also valid for 2 May 2016 live isos in live mode.

Summary: Installer Summary --> services does not show shorewalls, security shows firewall disabled by default => Installer Summary --> services does not show shorewalls, security shows firewall disabled by default (also live mode of live isos)
Source RPM: classical iso dated 07/03 => drakx-installer-stage2

Marja Van Waes 2016-05-23 10:59:36 CEST

Depends on: (none) => 18509

Comment 10 Dick Gevers 2016-06-07 14:45:36 CEST 
valid for iso dated 06 June 2016
Thierry Vignaud 2016-06-22 10:22:53 CEST

Status: NEW => ASSIGNED
CC: (none) => thierry.vignaud
Assignee: bugsquad => thierry.vignaud
Source RPM: drakx-installer-stage2 => drakx-installer-stage2, drakx-net

Comment 11 Mageia Robot 2016-06-22 13:20:16 CEST 
commit ee45d93276cf795a53fcb0351a78fe7e6b1a4b5c
Author: Thierry Vignaud <thierry.vignaud@...>
Date:   Wed Jun 22 10:30:56 2016 +0200

    fix getting systemd services status at install
    
    Some services such as shorewall are not "wantedby".
    However, as systemd is not running during installation, we failed to
    detect if whether they're enabled or not as the legacy fallback doesn't
    handle such services
    
    Let's try hard to query status of services that are not "wanted" but
    we're checking for.
    Thus fixing updating firewall status after configuration (mga#17288)
---
 Commit Link:
   http://gitweb.mageia.org/software/drakx/commit/?id=ee45d93276cf795a53fcb0351a78fe7e6b1a4b5c
Comment 12 Thierry Vignaud 2016-06-22 13:23:50 CEST 
Closing

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.