Bug 25951
Summary: | firewall is configured before the dhcp query for nameservers | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | sandy <sandy_pond> |
Component: | initscripts | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED RAWHIDE | QA Contact: | David Lawrence <dkl> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.1 | CC: | chris, rvokal, saint, twaugh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-02-06 18:13:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
sandy
2001-02-04 05:47:04 UTC
But if the host also requires DHCP, you need to check the 'DHCP' box too. Does that solve the problem? *** This bug has been marked as a duplicate of 25510 *** oops, wrong bug. *** Bug 25490 has been marked as a duplicate of this bug. *** *** Bug 25408 has been marked as a duplicate of this bug. *** *** Bug 26010 has been marked as a duplicate of this bug. *** Selecting DHCP in the firewall configuration is only required if you are going to run a DHCP server - not just if you're a client. (I tested this a couple of times myself, and this is also what the docs say should be the case.) The problem is that when RHL first installs (selecting DHCP for DNS allocation), anaconda leaves the file as: :input ACCEPT :forward ACCEPT :output ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -s 0/0 -d 0/0 -p tcp -y -j DENY -A input -s 0/0 -d 0/0 -p udp -j DENY and as a result DNS lookup won't work. If you re-run lokkit, and choose high security after installation, assuming DHCP has allocated your DNS servers and they have been recorded in /etc/resolv.conf you will now have appropriate DNS entries, i.e.: :input ACCEPT :forward ACCEPT :output ACCEPT -A input -s 0/0 -d 0/0 -i lo -j ACCEPT -A input -s 1.2.3.4 53 -d 0/0 -p udp -j ACCEPT -A input -s 1.2.3.5 53 -d 0/0 -p udp -j ACCEPT -A input -s 0/0 -d 0/0 -p tcp -y -j DENY -A input -s 0/0 -d 0/0 -p udp -j DENY We either need anaconda to be DNS aware, or we need the high security rules to allow incoming 53 dns. Two more important issues: - Allocation of new dns servers (manually specified or via DHCP). I presume this is not being properly catered for in our automated /etc/sysconfig/ipchains rules and this is going to be a real problem for people. - Another problem is lokkit does not wipe out the firewall rules it has put in place, when you run it as root and select no firewall!! I can test or provide any more information if necessary. *** Bug 25936 has been marked as a duplicate of this bug. *** *** Bug 25929 has been marked as a duplicate of this bug. *** *** Bug 26114 has been marked as a duplicate of this bug. *** Upping the priority and severity! I hit this bigtime. The installer pretty much directs you to selecting "High security" firewall, which is great. The blurb at the left side of the dialog claims that a high security setup will let in DNS and nothing else. . It lied. . I configured and brought up my modem dialup link. And it was hosed due to blocked name resolution. :-( It doesn't exactly *lie*, it just lets in only the DNS that's configured at install time. :) This should be fixed in initscripts-5.62-1. |