Red Hat Bugzilla – Bug 129348
Firewall open during /etc/init.d/iptables restart
Last modified: 2007-11-30 17:10:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Description of problem:
/etc/inid.d/iptables restart works by invoking stop() and than start()
functions. stop() function will (among other things) set policies for
all chains to ACCEPT. This opens a small window of opportunity for an
attacker to inject some packets into the network that firewall should
The solution to the problem would be to change stop() function so that
it detects that iptables was called with restart argument, and if that
is the case not to reset policies on built-in chains (if the policy is
changed in /etc/sysconfig/iptables file, it will get loaded anyhow by
This is a minor security issue, since the time window when the
firewall is open is very small and it is hard for an attacker to
predict when it will happen. However, I believe that this should be
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. /etc/init.d/iptables restart
Please think of this situation:
- user is remotely logged in
- user has modified /etc/sysconfig/iptables with a typo
- user restarts firewall
- removing all rules
- setting policy to drop or leaving as drop
- new firewall can not get applied because of the typo
-> policy is still drop
-> user can not use this box anymore and can not fix the rules
This is not good.
I'll close this bug as "NOT A BUG"
There is something in your arguments. However, when was the last time
you turned on firewall logging on machine connected directly to the
Internet? That typo (and resulting open firewall for minute or two
until user corrects it) can lead to system compromise, and bunch of
worms flying into the user's internal network.
I guess this is a tradeoff issue. Since one of the sides in this
tradeoff is security, maybe it would be the best if the user has
configuration option allowing him to choose in which state his
firewall should be during reload (or when she/he makes a typo).
Just my 2 cents.