Bug 164187

Summary: Unable to configure port range in Other Ports
Product: [Fedora] Fedora Reporter: John Griffiths <fedora.jrg01>
Component: system-config-securitylevelAssignee: Chris Lumens <clumens>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: FutureFeature
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-12-02 18:51:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Griffiths 2005-07-25 20:10:52 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
I used /usr/bin/system-config-securitylevel and tried to open a port range using 6881-6999:tcp. system-config-securitylevel accepted the command, but when I checked it, only port 6881:tcp was opened. Am I missing something? I looked for a man page or help for system-config-securitylevel and couldn't find one. I did a google search for system-config-securitylevel and "port range" and got some stuff on ftp but nothing on actually opening a range.


Version-Release number of selected component (if applicable):
system-config-securitylevel-1.5.8.1-1

How reproducible:
Always

Steps to Reproduce:
1.run system-config-securitylevel
2.Enter a port range to open in "Other ports", i.e., 6881-6999:tcp
3.Exit
4.run system-config-securitylevel
5.Only first port shows in "Other ports", i.e., 6881:tcp
  

Actual Results:  Only first port shows in "Other ports", i.e., 6881:tcp

Expected Results:  A port range should have been created.

Additional info:

This makes it impossible to participate in a bittorent community.
Comment 1 Chris Lumens 2005-08-03 14:34:58 UTC 
No, you're not missing anything.  s-c-securitylevel doesn't currently support
adding ranges.
Comment 2 John Griffiths 2005-08-03 16:01:37 UTC 
The option -dport will accept a range according to the man page for iptables. If
I hand edit the /etc/sysconfig/iptables file to specify a range, will the
firewall accept it?
Comment 3 John Griffiths 2005-08-03 16:10:03 UTC 
Answered my own question. Tried it. iptables -L lists the rule so it appears
this works. Of course now I cannot use system-config-securitylevel or it will
overwrite the rule and drop the port range.
Comment 4 John Griffiths 2005-08-03 19:07:27 UTC 
Further comment. I can still use system-config-securitylevel to change SELinux
enforcing without rewriting the /etc/sysconfig/iptables file. I cannot change
the firewall ports or the iptables file is overwritten.

Seems this might be a fairly simple enhancement. system-config-securitylevel
will already accept ip-ip:tcp as a iprange on the "other ports" section. It just
does not parse and write the range. The output of system-config-securitylevel
could process the string before the : as it currently does and substitute a
colon for the dash since the format for a range is 

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6881:6999 -j
ACCEPT

Just a thought.