Bug 79516

Summary: Official Redhat Security Guide has some misinformation
Product: Red Hat Web Site Reporter: Richard Oatridge <richardo>
Component: DocumentationAssignee: John Ha <jha>
Status: CLOSED RAWHIDE QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: currentCC: adstrong, jrfuller
Target Milestone: ---Keywords: Documentation, FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-12-12 17:17:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Richard Oatridge 2002-12-12 17:06:32 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

Description of problem:
Documentation Page Reference : rhl-sg(EN)-8.0-HTML-RHI (2002-08-30T11:29-0400)


I was just reading the above document regarding security when I noticed some 
mistakes in the section entitled 'Using iptables'. 
The documentation states that the OUTPUT chain is used for packets travelling 
from an internal LAN to the internet (ie 'through' the firewall), this is not 
so. The OUTPUT chain is used *only* for packets originating from local 
processes on the iptables machine itself, likewise, the INPUT chain is used 
*only* for packets that are destined for processes running locally on the 
iptables machine itself. The FORWARD chain is used for *all* other packets ... 
including all packets that are going from one network to another, whichever way 
they travel through the machine (ie in the LAN<->Inet example above, either in 
a LAN->Inet fashion, or Inet->LAN) ..... sorry to be nit-picky, but it is an 
important distinction, and there are a lot of postings on the netfilter mailing 
list about this very point.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Just have a read ... ;)

Additional info:

Comment 1 John Ha 2002-12-12 17:56:35 UTC
Thank you for the input. The firewall chapter will be revised with a clearer
distinction between INPUT, OUTPUT, and FORWARD chains to alleviate confusion and
prevent possible misconfiguration. 

Thanks again for the suggestion. The Security Guide will improve with each new
release due in large part to reader input like yours.