Bug 65993

Summary: ifup-post and TCP DNS
Product: [Retired] Red Hat Linux Reporter: Ville Skyttä <scop>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED CURRENTRELEASE QA Contact: Brock Organ <borgan>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
URL: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-5.html#ss5.2
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-05 19:51:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2002-06-04 19:11:02 UTC 
This is really low priority and I haven't been bitten by it, but just noticed 
that ifup-post only punches the incoming UDP DNS traffic through the local 
firewall, and the IPCHAINS-HOWTO has a small chapter related to outgoing TCP 
DNS connections [1]. 
 
Maybe it would be good to make ifup-post do something like: 
 
ipchains -I output -s 0/0 1024:65535 -d $nameserver/32 53 -p tcp -y -j ACCEPT 
 
...so DNS would also work in cases where there are some restrictions on 
outgoing traffic.  Maybe also the corresponding rule with source port 53, and 
the "-p tcp ! -y" input from these servers. 
 
[1] <URL:http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-5.html#ss5.2>
Comment 1 Bill Nottingham 2005-04-05 19:51:30 UTC 
Closing, stateful connection handling takes care of this.
Comment 2 Ville Skyttä 2005-04-05 20:49:25 UTC 
Yes, if the default config allows outgoing TCP connections to the DNS server,
and incoming related "replies".  That's what I meant by "some restrictions on
outgoing traffic", IIRC.

No need to reopen though, as said this is a very low priority one, and people
should probably be taking care of it themselves if they place that restrictive
default rules.  Just confirming that I understood your point.