Bug 431961
Summary: | iptables and ip6tables configurations differ, firewall completely open | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Andrew Farris <lordmorgul> | ||||
Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | low | ||||||
Version: | rawhide | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-02-14 17:47:19 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Andrew Farris
2008-02-08 03:08:24 UTC
I can not reproduce your problem. When you hit apply, system-config-firewall is calling lokkit to generate the /etc/sysconfig/ip*tables files. lokkit reports an error if one or more files could not be written. Are the new ip*tables files in place and do they contain the correct configuration? Could it be that you have some other firewall configuration utility installed on your system, which is resetting the rules? There is nothing else in place I know of that is changing the rules between system-config-firewall and looking back at the configuration. I can see that both configs are written if neither is edited manually and different to the other. If iptables and ip6tables are both removed from /etc/sysconfig then new files are written with correct perms, config, and contexts. But, if one is manually edited in the chain it does not save to that one (loaded in memory). I'm not sure whether it edits the file on disk, so I'll check into this more. Created attachment 294857 [details]
system-config-firewall-bash-tables-not-matched.txt
Here is a set of commands run in order that show what I'm talking about with
the two tables having unmatched configuration. It starts with my current
firewall configuration (a bit convoluted, learning iptables tweaking) which I
clear out. I then stop the services, remove their configurations, touch blank
files, and customize only iptables. Then I run system-config-firewall, load
default server config, disable/enable the firewall and apply the config.
Notice after I've done that the two firewall tables are not both changed.
You have set IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. This overwrites the configuration made by system-config-firewall. I will change the apply behaviour to 1) Stop the firewall 2) Write new config 3) Load new firewall configuration Fixed in rawhide in package system-config-firewall-1.2.4-1.fc9. |