|
 |
21c891 |
From 742ed8613bff7f6ecb78a58ceca02c308af6786e Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Mon, 9 Jul 2018 11:29:33 -0400
|
|
|
21c891 |
Subject: [PATCH] Add cockpit by default to some zones
|
|
|
21c891 |
|
|
|
21c891 |
Fixes: #1581578
|
|
|
21c891 |
---
|
|
|
21c891 |
config/zones/home.xml | 1 +
|
|
|
21c891 |
config/zones/internal.xml | 1 +
|
|
|
21c891 |
config/zones/public.xml | 1 +
|
|
|
21c891 |
config/zones/work.xml | 1 +
|
|
|
21c891 |
src/tests/regression/gh366.at | 3 +++
|
|
|
21c891 |
src/tests/regression/rhbz1514043.at | 2 +-
|
|
|
21c891 |
6 files changed, 8 insertions(+), 1 deletion(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/config/zones/home.xml b/config/zones/home.xml
|
|
|
21c891 |
index 42b29b2f2d50..8aa8afa0e8aa 100644
|
|
|
21c891 |
--- a/config/zones/home.xml
|
|
|
21c891 |
+++ b/config/zones/home.xml
|
|
|
21c891 |
@@ -6,4 +6,5 @@
|
|
|
21c891 |
<service name="mdns"/>
|
|
|
21c891 |
<service name="samba-client"/>
|
|
|
21c891 |
<service name="dhcpv6-client"/>
|
|
|
21c891 |
+ <service name="cockpit"/>
|
|
|
21c891 |
</zone>
|
|
|
21c891 |
diff --git a/config/zones/internal.xml b/config/zones/internal.xml
|
|
|
21c891 |
index e646b48c94e8..40cb7e14424b 100644
|
|
|
21c891 |
--- a/config/zones/internal.xml
|
|
|
21c891 |
+++ b/config/zones/internal.xml
|
|
|
21c891 |
@@ -6,4 +6,5 @@
|
|
|
21c891 |
<service name="mdns"/>
|
|
|
21c891 |
<service name="samba-client"/>
|
|
|
21c891 |
<service name="dhcpv6-client"/>
|
|
|
21c891 |
+ <service name="cockpit"/>
|
|
|
21c891 |
</zone>
|
|
|
21c891 |
diff --git a/config/zones/public.xml b/config/zones/public.xml
|
|
|
21c891 |
index 49795d8c9068..617e131a4895 100644
|
|
|
21c891 |
--- a/config/zones/public.xml
|
|
|
21c891 |
+++ b/config/zones/public.xml
|
|
|
21c891 |
@@ -4,4 +4,5 @@
|
|
|
21c891 |
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
|
|
|
21c891 |
<service name="ssh"/>
|
|
|
21c891 |
<service name="dhcpv6-client"/>
|
|
|
21c891 |
+ <service name="cockpit"/>
|
|
|
21c891 |
</zone>
|
|
|
21c891 |
diff --git a/config/zones/work.xml b/config/zones/work.xml
|
|
|
21c891 |
index 6ea5550a40bd..9609ee6f65c2 100644
|
|
|
21c891 |
--- a/config/zones/work.xml
|
|
|
21c891 |
+++ b/config/zones/work.xml
|
|
|
21c891 |
@@ -4,4 +4,5 @@
|
|
|
21c891 |
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
|
|
|
21c891 |
<service name="ssh"/>
|
|
|
21c891 |
<service name="dhcpv6-client"/>
|
|
|
21c891 |
+ <service name="cockpit"/>
|
|
|
21c891 |
</zone>
|
|
|
21c891 |
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
|
|
|
21c891 |
index dd6963f9ac3a..6347f6650525 100644
|
|
|
21c891 |
--- a/src/tests/regression/gh366.at
|
|
|
21c891 |
+++ b/src/tests/regression/gh366.at
|
|
|
21c891 |
@@ -7,6 +7,7 @@ table inet firewalld {
|
|
|
21c891 |
chain filter_IN_public_allow {
|
|
|
21c891 |
tcp dport 22 ct state new,untracked accept
|
|
|
21c891 |
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
|
|
|
21c891 |
+tcp dport 9090 ct state new,untracked accept
|
|
|
21c891 |
ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
|
|
|
21c891 |
ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -14,11 +15,13 @@ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
|
|
|
21c891 |
])], [
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
21c891 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
21c891 |
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
|
|
|
21c891 |
])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
21c891 |
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
21c891 |
+ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
|
|
|
21c891 |
])])])
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
|
|
|
21c891 |
index a7368dbd9eeb..36ee0050141d 100644
|
|
|
21c891 |
--- a/src/tests/regression/rhbz1514043.at
|
|
|
21c891 |
+++ b/src/tests/regression/rhbz1514043.at
|
|
|
21c891 |
@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all])
|
|
|
21c891 |
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
|
|
|
21c891 |
FWD_RELOAD
|
|
|
21c891 |
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
|
|
|
21c891 |
-services: dhcpv6-client samba ssh
|
|
|
21c891 |
+services: cockpit dhcpv6-client samba ssh
|
|
|
21c891 |
])
|
|
|
21c891 |
dnl check that log denied actually took effect
|
|
|
21c891 |
m4_if(iptables, FIREWALL_BACKEND, [
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|