From 73e277b20253dc35609ad09d1432a686ded99766 Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Thu, 6 Dec 2012 02:53:48 -0500
Subject: [PATCH] Allow kadmin

---
 debian/changelog      | 6 ++++++
 files/ferm.conf.hcoop | 1 +
 2 files changed, 7 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 68075f7..22c8571 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+hcoop-firewall-config (2) stable; urgency=low
+
+  * Allow outbound kadmin by default (to e.g. extract host keytab)
+
+ -- Clinton Ebadi <clinton@unknownlamer.org>  Thu, 06 Dec 2012 02:52:36 -0500
+
 hcoop-firewall-config (1) stable; urgency=low
 
   * Include service firewall rules Instead of a per-machine package, keep the ports with the service for now. Ideally domtool would handle all of this.
diff --git a/files/ferm.conf.hcoop b/files/ferm.conf.hcoop
index 12c90d7..a85e14d 100644
--- a/files/ferm.conf.hcoop
+++ b/files/ferm.conf.hcoop
@@ -47,6 +47,7 @@ table filter {
 	proto tcp dport 1235 ACCEPT;
 
 	proto (tcp udp) dport ( kerberos afs3-fileserver afs3-callback afs3-prserver afs3-vlserver afs3-volser afs3-errors afs3-bos ) ACCEPT;
+	proto tcp dport kerberos-adm ACCEPT;
 
 	proto (tcp udp) dport ntp ACCEPT;
 	proto (tcp udp) dport domain ACCEPT;
-- 
2.20.1