Bug 1090372 - Server System Roles have suboptimal default firewall settings
Server System Roles have suboptimal default firewall settings
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Installation
Current
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Richard Brown
Jiri Srain
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-20 12:20 UTC by Richard Brown
Modified: 2019-02-13 12:32 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Richard Brown 2018-04-20 12:20:58 UTC
sshd is still disabled and blocked by default on openSUSE Leap 15 and Tumbleweed server roles at time of writing

There are 3 control.xml parameters that control this

<enable_firewall config:type="boolean">  - Enables the firewall
<firewall_enable_ssh config:type="boolean"> - opens the SSH port in the firewall
<enable_sshd config:type="boolean"> - enables sshd

Currently the settings are

enable_firewall - True
firewall_enable_ssh - False
enable_sshd - Undef (False)

Discussing this with Ludwig his desire for Leap 15.1 will be to have the following for the server system roles

enable_firewall - False
firewall_enable_ssh - Doesn't matter if enable_firewall is false
enable_sshd - True

I'm tempted to agree and plan to implement this in Tumbleweed. This bug is therefore here to remind myself to do that, or give people a chance to object before I get around to it.
Comment 1 Oliver Kurz 2018-11-16 07:07:08 UTC
(In reply to Richard Brown from comment #0)
> Currently the settings are
> 
> enable_firewall - True
> firewall_enable_ssh - False
> enable_sshd - Undef (False)
> 
> Discussing this with Ludwig his desire for Leap 15.1 will be to have the
> following for the server system roles
> 
> enable_firewall - False
> firewall_enable_ssh - Doesn't matter if enable_firewall is false
> enable_sshd - True

Are you sure you want to enable SSHd by default? The installer already enabled sshd by default whenever the *installation* is conducted over ssh so I wonder if it is a good idea to impact the scenarios where a server installation is conducted without ssh and then ssh is automatically enabled – and also differ in behaviour from SLE.
Comment 2 Richard Brown 2018-11-16 08:04:41 UTC
(In reply to Oliver Kurz from comment #1)
> (In reply to Richard Brown from comment #0)
> > Currently the settings are
> > 
> > enable_firewall - True
> > firewall_enable_ssh - False
> > enable_sshd - Undef (False)
> > 
> > Discussing this with Ludwig his desire for Leap 15.1 will be to have the
> > following for the server system roles
> > 
> > enable_firewall - False
> > firewall_enable_ssh - Doesn't matter if enable_firewall is false
> > enable_sshd - True
> 
> Are you sure you want to enable SSHd by default? The installer already
> enabled sshd by default whenever the *installation* is conducted over ssh so
> I wonder if it is a good idea to impact the scenarios where a server
> installation is conducted without ssh and then ssh is automatically enabled
> – and also differ in behaviour from SLE.

For the server system roles, absolutely

I don’t care about the parity with SLE, openSUSEs users expect to have SSH enabled when they pick a server system role, and that’s a reasonable assumption we are not fulfilling at the moment

I won’t be changing the “if ssh used to install then enable ssh” logic which will still apply to the other system roles
Comment 3 Richard Brown 2018-11-22 15:02:10 UTC
skelcd-control-openSUSE submissions OTW
Comment 6 Ludwig Nussel 2019-02-11 14:57:03 UTC
Had a quick chat with Johannes on the topic at lunch and we have different positions here.

We both agree that for server installations it does make sense to expose ssh by default as that is the most likely way to get into the server anyways. Not having ssh enabled is a nuisance for that use case.

However, whether or not the firewall makes sense is controversial. In my opinion the firewall adds little value as ssh is pretty much the only thing open anyways and any service installed, configured and started afterwards likely is meant to be available too. Johannes disagrees and wants to prevent accidentally exposing services by blocking anything that wasn't explicitly configured in the firewall.

Meanwhile the yast firewall module works also in text mode now so whatever.
Comment 7 Johannes Segitz 2019-02-13 08:17:21 UTC
(In reply to Ludwig Nussel from comment #6)
I basically agree, only that for me the "likely" part should be secured by a firewall that needs to be explicitly configured to let the service talk to the world. If an admin doesn't like that he's free to disable the firewall, but by default we would like to have it enabled.

I created https://github.com/yast/skelcd-control-openSUSE/pull/166 to enable the firewall by default again
Comment 8 Richard Brown 2019-02-13 12:32:37 UTC
(In reply to Johannes Segitz from comment #7)

I agree with Ludwig and disagree with Johannes

But I don't disagree strongly enough to argue with Johannes' changes to the skelcd ;)

They're in, submissions are https://build.opensuse.org/request/show/674529 and https://build.opensuse.org/request/show/674531

Closing bug, thanks Johannes :)