Hide Forgot
Description of problem: The ip(6)tables service has a severe issue that impacts the ability to use configuration management automation solutions and is a security vulnerability opening up the firewall for host attack. When the firewall is in the stopped state, the execution of ip(6)tables -L restarts the firewall with a blank configuration. Version-Release number of selected component (if applicable): iptables-1.4.7-16.el6.x86_64 iptables-ipv6-1.4.7-16.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. service ip(6)tables stop 2. service ip(6)tables status (shows ip(6)tables: Firewall is not running) 3. iptables -L 4. service ip(6)tables status Actual results: Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Expected results: Should show "ip(6)tables: Firewall is not running", and should not be in the running state. Additional info:
This should be a possible candidate for a CVE.
Why is this a "a security vulnerability"? Not having rules is the same as default policy ACCEPT.
If you do not want to load the base netfilter modules, then you could use the iptables-save command.
The iptables -L command is loading netfilter modules if they are not loaded, yet. The iptables init script is offering a way to list the rules only if the base netfilter modules are loaded: "service iptables status" Also iptables-save can be used. Closing this bug as not a bug.