Bug 164187
Summary: | Unable to configure port range in Other Ports | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
Component: | system-config-securitylevel | Assignee: | Chris Lumens <clumens> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | Keywords: | FutureFeature |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-12-02 18:51:02 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
John Griffiths
2005-07-25 20:10:52 UTC
No, you're not missing anything. s-c-securitylevel doesn't currently support adding ranges. The option -dport will accept a range according to the man page for iptables. If I hand edit the /etc/sysconfig/iptables file to specify a range, will the firewall accept it? Answered my own question. Tried it. iptables -L lists the rule so it appears this works. Of course now I cannot use system-config-securitylevel or it will overwrite the rule and drop the port range. Further comment. I can still use system-config-securitylevel to change SELinux enforcing without rewriting the /etc/sysconfig/iptables file. I cannot change the firewall ports or the iptables file is overwritten. Seems this might be a fairly simple enhancement. system-config-securitylevel will already accept ip-ip:tcp as a iprange on the "other ports" section. It just does not parse and write the range. The output of system-config-securitylevel could process the string before the : as it currently does and substitute a colon for the dash since the format for a range is -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6881:6999 -j ACCEPT Just a thought. |