Bug 101527
| Summary: | ifup-post punches not quite enough udp ports through firewall for dns lookups. | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Philip Hirschhorn <psh> |
| Component: | initscripts | Assignee: | Bill Nottingham <notting> |
| Status: | CLOSED RAWHIDE | QA Contact: | Brock Organ <borgan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9 | CC: | rvokal |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-08-14 03:43:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This will be solved with redhat-config-securitylevel-1.2.x. |
Description of problem: ifup-post tries to punch the nameservers through the iptables firewall, but it only opens ports 1025:65535 (that is, it does *not* open port 1024 for dns inquiries). When the ntpd startup script runs at boot time, it tries to find the ip address of each server listed in /etc/ntp.conf, and the dns inquiries generated go out through port 1024, and so the dns replies are blocked by iptables (at least this is true if iptables was configured with high security, in which case it discards all udp packets unless some other script opens up a udp port). I determined this by running tcpdump on my gateway machine. If I rerun the ntp startup script *after* the machine is up and running, the dns inquiries go out on ports higher than 1024 (usually 1026 or 1027), and so there's no problem. However, when the ntp startup script runs at boot time, its dns lookups consistently use port 1024, and so the dns replies are blocked. Version-Release number of selected component (if applicable): How reproducible: Happens every time that the ntp startup script runs at boot time. When the ntp startup script is run after the machine is fully booted, it uses ports for dns inquiries and there are no problems. Steps to Reproduce: 1. Install iptables with high security (so that all incoming udp packets are rejected). 2. Configure ntp to use several servers specified by name, rather than by IP address, so that dns lookups will be required when ntp is started up so that the time servers can be punched through the firewall. 3.Have some coffee, and maybe a doughnut (chocolate honey dipped are nice). Actual results: The ntp startup script, at boot times, fails in its attempts to punch the timeservers through the firewall. Expected results: The ntp startup script should punch the timeservers through the firewall at boot time. Additional info: