Bug 63497
| Summary: | bug in firewall punch-through when rule already exists | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | Dan Morrill <morrildl> |
| Component: | initscripts | Assignee: | Bill Nottingham <notting> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brock Organ <borgan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | rvokal |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | FC3 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-09-29 19:47:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Oops, forgot a step to reproduce: 1. Add an ipchains rule (e.g. for syslog) 2. service ipchains restart 3. service network restart Oops, bug in the diff. Disregard previous diff, use this one.
--- /etc/sysconfig/network-scripts/ifup-post.orig Sun Apr 14 21:52:09
2002+++ /etc/sysconfig/network-scripts/ifup-post Sun Apr 14 22:25:06 2002
@@ -90,7 +90,7 @@
ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf`
if [ -n "$ns" ]; then
for nameserver in $ns ; do
- if ! ipchains -L input -n | grep -q $nameserver ; then
+ if ! ipchains -L input -n | grep "\<53\>" | grep -q
$nameserver ; then
ipchains -I input -s $nameserver/32 53 -d 0/0
1025:65535 -p udp -j ACCEPT
[ -x /usr/bin/logger ] && logger $"punching
nameserver $nameserver through the firewall"
Any progress on this? I'm writing a book and need to know if this will be resolved or not in 7.3. :) (Not that it matters either way -- you can make a case for NOTABUG; I'd just like to know if it's going to be fixed.) Whoops, sorry, no it wasn't fixed in 7.3. I was looking at ifup-post in null, and it looks like this fix for DNS punch-throughs didn't make it in, though the file was converted to use iptables. (Unless I'm mistaken of course -- I haven't tested this yet, but it looks like it'll have the same problem as 7.2/7.3.) Just a reminder... :) Closing bugs on older, no longer supported, releases. Apologies for any lack of response. Current releases no longer use this code, so it's unlikely changes will be made to previous releases. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901 Description of problem: /etc/sysconfig/network-scripts/ifup-post, among other things, adds rules to let the DNS servers specified in /etc/resolv.conf "punch through" the firewall. As part of a sanity check, the script parses the output of an ipchains -L -n to see if the rules already exist. If they do, then the code snippet does nothing. However, the check is a little bit naive, because it looks for ANY rule in ipchains, not just DNS-related rules. In my case, I have my firewall (which is also the DNS server) doing syslog to an internal RHL 7.2 box, so I had to add a rule to /etc/sysconfig/ipchains to allow this. However, that rule is firing the sanity check just described, and so that script block does nothing. Therefore, I never get the DNS punch-through rules added. This is the behavior of ifup-post in RHL 7.2. I haven't tried skipjack yet but I assume it's true there, too. The diff below is a simple fix. --- /etc/sysconfig/network-scripts/ifup-post.orig Sun Apr 14 21:52:09 2002+++ /etc/sysconfig/network-scripts/ifup-post Sun Apr 14 21:52:44 2002 @@ -90,7 +90,7 @@ ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf` if [ -n "$ns" ]; then for nameserver in $ns ; do - if ! ipchains -L input -n | grep -q $nameserver ; then + if ! ipchains -L input -n | grep domain | grep -q $nameserver ; then ipchains -I input -s $nameserver/32 53 -d 0/0 1025:65535 -p udp -j ACCEPT [ -x /usr/bin/logger ] && logger $"punching nameserver $nameserver through the firewall" Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. add a rule for the DNS server manually (e.g. for syslog) 2. service network restart Actual Results: DNS punch-through rules didn't get added Expected Results: DNS punch-through rules should have been added Additional info: Simple fix: added a "| grep domain" element to the pipe chain. I can show you my /etc/sysconfig/ipchains if you care but it's trivial.