Red Hat Bugzilla – Bug 101527
ifup-post punches not quite enough udp ports through firewall for dns lookups.
Last modified: 2014-03-16 22:37:51 EDT
Description of problem:
ifup-post tries to punch the nameservers through the iptables firewall, but it
only opens ports 1025:65535 (that is, it does *not* open port 1024 for dns
inquiries). When the ntpd startup script runs at boot time, it tries to find
the ip address of each server listed in /etc/ntp.conf, and the dns inquiries
generated go out through port 1024, and so the dns replies are blocked by
iptables (at least this is true if iptables was configured with high security,
in which case it discards all udp packets unless some other script opens up a
udp port). I determined this by running tcpdump on my gateway machine.
If I rerun the ntp startup script *after* the machine is up and running, the dns
inquiries go out on ports higher than 1024 (usually 1026 or 1027), and so
there's no problem. However, when the ntp startup script runs at boot time, its
dns lookups consistently use port 1024, and so the dns replies are blocked.
Version-Release number of selected component (if applicable):
Happens every time that the ntp startup script runs at boot time. When the ntp
startup script is run after the machine is fully booted, it uses ports for dns
inquiries and there are no problems.
Steps to Reproduce:
1. Install iptables with high security (so that all incoming udp packets are
2. Configure ntp to use several servers specified by name, rather than by IP
address, so that dns lookups will be required when ntp is started up so that the
time servers can be punched through the firewall.
3.Have some coffee, and maybe a doughnut (chocolate honey dipped are nice).
The ntp startup script, at boot times, fails in its attempts to punch the
timeservers through the firewall.
The ntp startup script should punch the timeservers through the firewall at boot
This will be solved with redhat-config-securitylevel-1.2.x.