From 0f28f2b7b8072bdc2e483d035230ddcb8b00a919 Mon Sep 17 00:00:00 2001

From: Eric Garver <e@erig.me>

Date: Mon, 9 Jul 2018 11:29:33 -0400

Subject: [PATCH] Add cockpit by default to some zones

Fixes: #1581578

---

 config/zones/home.xml                 |  1 +

 config/zones/internal.xml             |  1 +

 config/zones/public.xml               |  1 +

 config/zones/work.xml                 |  1 +

 src/tests/features/service_include.at |  2 +-

 src/tests/firewall-cmd.at             | 14 +++++++++++++-

 src/tests/regression/gh366.at         |  3 +++

 src/tests/regression/gh453.at         |  2 ++

 src/tests/regression/rhbz1514043.at   |  2 +-

 9 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/config/zones/home.xml b/config/zones/home.xml

index 42b29b2f2d50..8aa8afa0e8aa 100644

--- a/config/zones/home.xml

+++ b/config/zones/home.xml

@@ -6,4 +6,5 @@

   <service name="mdns"/>

   <service name="samba-client"/>

   <service name="dhcpv6-client"/>

+  <service name="cockpit"/>

 </zone>

diff --git a/config/zones/internal.xml b/config/zones/internal.xml

index e646b48c94e8..40cb7e14424b 100644

--- a/config/zones/internal.xml

+++ b/config/zones/internal.xml

@@ -6,4 +6,5 @@

   <service name="mdns"/>

   <service name="samba-client"/>

   <service name="dhcpv6-client"/>

+  <service name="cockpit"/>

 </zone>

diff --git a/config/zones/public.xml b/config/zones/public.xml

index 49795d8c9068..617e131a4895 100644

--- a/config/zones/public.xml

+++ b/config/zones/public.xml

@@ -4,4 +4,5 @@

   <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

   <service name="ssh"/>

   <service name="dhcpv6-client"/>

+  <service name="cockpit"/>

 </zone>

diff --git a/config/zones/work.xml b/config/zones/work.xml

index 6ea5550a40bd..9609ee6f65c2 100644

--- a/config/zones/work.xml

+++ b/config/zones/work.xml

@@ -4,4 +4,5 @@

   <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>

   <service name="ssh"/>

   <service name="dhcpv6-client"/>

+  <service name="cockpit"/>

 </zone>

diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at

index b3a50a84bd88..992c5ef0ba92 100644

--- a/src/tests/features/service_include.at

+++ b/src/tests/features/service_include.at

@@ -90,7 +90,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl

 ])

 FWD_CHECK([--zone=public --list-services], 0, [dnl

-dhcpv6-client ssh

+cockpit dhcpv6-client ssh

 ])

 FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])

 FWD_RELOAD

diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at

index efc8f9c50757..6444b4566af5 100644

--- a/src/tests/firewall-cmd.at

+++ b/src/tests/firewall-cmd.at

@@ -1046,6 +1046,7 @@ FWD_START_TEST([rich rules priority])

         chain filter_IN_public_allow {

         tcp dport 22 ct state new,untracked accept

         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+        tcp dport 9090 ct state new,untracked accept

         tcp dport 1122 ct state new,untracked accept

         tcp dport 3333 ct state new,untracked accept

         tcp dport 4444 ct state new,untracked accept

@@ -1061,6 +1062,7 @@ FWD_START_TEST([rich rules priority])

     ])

     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED

@@ -1075,6 +1077,7 @@ FWD_START_TEST([rich rules priority])

     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+        ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

         ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED

         ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED

         ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED

@@ -1156,6 +1159,7 @@ FWD_START_TEST([rich rules priority])

         chain filter_IN_public_allow {

         tcp dport 22 ct state new,untracked accept

         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+        tcp dport 9090 ct state new,untracked accept

         }

         }

     ])

@@ -1259,6 +1263,7 @@ FWD_START_TEST([rich rules priority])

     ])

     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

     ])

     IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl

     ])

@@ -1293,6 +1298,7 @@ FWD_START_TEST([rich rules priority])

     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+        ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

     ])

     IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl

     ])

@@ -1340,6 +1346,7 @@ FWD_START_TEST([rich rules priority])

         chain filter_IN_public_allow {

         tcp dport 22 ct state new,untracked accept

         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+        tcp dport 9090 ct state new,untracked accept

         icmp type echo-request accept

         icmpv6 type echo-request accept

         }

@@ -1380,6 +1387,7 @@ FWD_START_TEST([rich rules priority])

     ])

     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

         ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8

     ])

     IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl

@@ -1402,6 +1410,7 @@ FWD_START_TEST([rich rules priority])

     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+        ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

         ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128

     ])

     IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl

@@ -1458,6 +1467,7 @@ FWD_START_TEST([rich rules priority])

         chain filter_IN_public_allow {

         tcp dport 22 ct state new,untracked accept

         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+        tcp dport 9090 ct state new,untracked accept

         }

         }

     ])

@@ -1495,6 +1505,7 @@ FWD_START_TEST([rich rules priority])

     ])

     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+        ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

     ])

     IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

     ])

@@ -1515,6 +1526,7 @@ FWD_START_TEST([rich rules priority])

     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+        ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

     ])

     IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl

     ])

@@ -1540,7 +1552,7 @@ FWD_START_TEST([rich rules priority])

         icmp-block-inversion: no

         interfaces:

         sources:

-        services: dhcpv6-client ssh

+        services: cockpit dhcpv6-client ssh

         ports:

         protocols:

         masquerade: no

diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at

index 1441a6be53bf..51ff504e6a9d 100644

--- a/src/tests/regression/gh366.at

+++ b/src/tests/regression/gh366.at

@@ -7,6 +7,7 @@ table inet firewalld {

 chain filter_IN_public_allow {

 tcp dport 22 ct state new,untracked accept

 ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+tcp dport 9090 ct state new,untracked accept

 ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept

 ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept

 }

@@ -14,11 +15,13 @@ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept

 ])

 IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED

+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED

 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED

 ])

 IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl

 ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED

 ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED

+ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED

 ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED

 ])])

diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at

index f57a79dcf9a2..6d820fce840a 100644

--- a/src/tests/regression/gh453.at

+++ b/src/tests/regression/gh453.at

@@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl

 	chain filter_IN_public_allow {

 	tcp dport 22 ct state new,untracked accept

 	ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+	tcp dport 9090 ct state new,untracked accept

 	tcp dport 21 ct helper set "helper-ftp-tcp"

 	tcp dport 21 ct state new,untracked accept

 	}

@@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl

 	chain filter_IN_public_allow {

 	tcp dport 22 ct state new,untracked accept

 	ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept

+	tcp dport 9090 ct state new,untracked accept

 	tcp dport 21 ct helper set "helper-ftp-tcp"

 	tcp dport 21 ct state new,untracked accept

 	tcp dport 5060 ct helper set "helper-sip-tcp"

diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at

index deb93a5fac94..88ce4934e5ea 100644

--- a/src/tests/regression/rhbz1514043.at

+++ b/src/tests/regression/rhbz1514043.at

@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all])

 FWD_CHECK([-q --permanent --zone=public --add-service=samba])

 FWD_RELOAD

 FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl

-services: dhcpv6-client samba ssh

+services: cockpit dhcpv6-client samba ssh

 ])

 dnl check that log denied actually took effect

 m4_if(iptables, FIREWALL_BACKEND, [

-- 

2.20.1