Bug 976598
Summary: | Updating iptables config is inconsistent. | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Summer Long <slong> |
Component: | doc-Installation_and_Configuration_Guide | Assignee: | Don Domingo <ddomingo> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | ecs-bugs |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 3.0 | CC: | alyoung, ddomingo, sgordon, zaitcev |
Target Milestone: | --- | Keywords: | Documentation, Triaged |
Target Release: | 4.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-01-06 00:04:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1011085 |
Description
Summer Long
2013-06-21 01:10:40 UTC
The other alternative is a tool called lokkit but would have to check if it is always available (need it to be in the @base package group in RHEL). (In reply to Summer Long from comment #0) > Section Number and Name: > Firewall sections > > Describe the issue: > Currently, the following update methods are used: > --On the command line, with 'iptables -A INPUT' (goes on end of chain) > --On the command line, with 'iptables -I INPUT' (uses a number to determine > where to place) I had forgotten but further testing has confirmed, the default RHEL firewall includes a REJECT all rule at the end of the INPUT chain. As a result both of these methods of updating the firewall result in the new rule being inserted *after* the rule that REJECTs the traffic (hence having no impact). That is unless of course you happen to know the exact number to provide with -I (unlikely). I think that's why I had gone with the update the file approach in the first place (on top of the reasons in the description). Taking this one for now. Will update the BZ status once my RH account gets reactivated. --ddomingo I revised the iptables instructions in the following topics to make them consistent with all the others; they are all of the "update config file" variety now: Configuring NRPE Firewall Configuration Configuring the Object Storage Service Storage Nodes By the way, the iptables rule in that last topic also opens port 873, not sure why. Left it as is for now. |