Bug 101527 - ifup-post punches not quite enough udp ports through firewall for dns lookups.
ifup-post punches not quite enough udp ports through firewall for dns lookups.
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
Depends On:
  Show dependency treegraph
Reported: 2003-08-02 14:48 EDT by Philip Hirschhorn
Modified: 2014-03-16 22:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-08-13 23:43:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Philip Hirschhorn 2003-08-02 14:48:43 EDT
Description of problem:
ifup-post tries to punch the nameservers through the iptables firewall, but it
only opens ports 1025:65535 (that is, it does *not* open port 1024 for dns
inquiries).  When the ntpd startup script runs at boot time, it tries to find
the ip address of each server listed in /etc/ntp.conf, and the dns inquiries
generated go out through port 1024, and so the dns replies are blocked by
iptables (at least this is true if iptables was configured with high security,
in which case it discards all udp packets unless some other script opens up a
udp port).  I determined this by running tcpdump on my gateway machine.

If I rerun the ntp startup script *after* the machine is up and running, the dns
inquiries go out on ports higher than 1024 (usually 1026 or 1027), and so
there's no problem.  However, when the ntp startup script runs at boot time, its
dns lookups consistently use port 1024, and so the dns replies are blocked.

Version-Release number of selected component (if applicable):

How reproducible:
Happens every time that the ntp startup script runs at boot time.  When the ntp
startup script is run after the machine is fully booted, it uses ports for dns
inquiries and there are no problems.

Steps to Reproduce:
1. Install iptables with high security (so that all incoming udp packets are
2. Configure ntp to use several servers specified by name, rather than by IP
address, so that dns lookups will be required when ntp is started up so that the
time servers can be punched through the firewall.
3.Have some coffee, and maybe a doughnut (chocolate honey dipped are nice).
Actual results:
The ntp startup script, at boot times, fails in its attempts to punch the
timeservers through the firewall.

Expected results:
The ntp startup script should punch the timeservers through the firewall at boot

Additional info:
Comment 1 Bill Nottingham 2003-08-13 23:43:00 EDT
This will be solved with redhat-config-securitylevel-1.2.x.

Note You need to log in before you can comment on or make changes to this bug.