Bug 27915

Summary: Firewall config blocks DNS replys if DHCP checked on install
Product: [Retired] Red Hat Linux Reporter: Greg Corson <greg_corson>
Component: anacondaAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-02-19 23:59:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Greg Corson 2001-02-16 02:40:59 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)


When installing the system, I checked the "DHCP" option on the network 
card configuration page.  On the firewall page I selected "HIGH".  When 
the install was done the DHCP operated successfully and assigned all the 
network numbers right, but DNS lookups failed to work.  After quite a bit 
of messing around, discovered the firewall rules were blocking the DNS 
reply packets.

Reproducible: Didn't try
Steps to Reproduce:
1.select "DHCP" when installing network
2.select "high" when installing firewall
3.
	

Actual Results:  System comes up and DHCP's properly, but firewall rules 
block the DNS reply packets, presumably because the installer didn't know 
the DNS server addresses at the time the installer was running.

Expected Results:  Firewall installer should either setup to allow all DNS 
reply packets come through, or there should be a re-write of the firewall 
rules everytime DHCP returns a new set of DNS server numbers.

My solution was to do use a static IP address and re-run lokkit which then 
re-wrote the firewall rules with explicit rules to allow my DNS servers to 
talk to me.

Lokkit seems to install explicit rules to allow DNS reply packets from 
specific IP numbers.  However, every time a machine does a DHCP it can 
potentially be assigned new DNS server addresses.  Because of this it 
seems you should have a module that re-writes the firewall DNS rules every 
time DHCP executes.  Otherwise, whenever a server address changes DNS 
lookups will be broken.

If you are unable to reproduce the problem please let me know and I will 
try doing a re-install (or whatever you suggest) to make it happen again.  
If you DO have something in the installer that DHCP's and trys to include 
DNS rules into the firewall, then it's possible the DHCP lookup failed for 
some reason during install, but succeeded on subsequent reboots.

P.S. Which firewall config tools in the RH distro still work correctly on 
the 2.4 kernal?  I tried several and they seemed to be unable to list the 
rules for my firewall.
Comment 1 Michael Fulbright 2001-02-16 14:56:13 UTC 
Assigning to a developer.
Comment 2 Bill Nottingham 2001-02-16 17:51:01 UTC 
This was fixed in initscripts-5.64 or so, along with pump-0.8.9-1.