Bug 135667 - iptables loads no rules if FQDNs are used instead of IP addresses
iptables loads no rules if FQDNs are used instead of IP addresses
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: iptables (Show other bugs)
3.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-14 05:11 EDT by Dr Philip J Naylor
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-20 06:15:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dr Philip J Naylor 2004-10-14 05:11:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.3)
Gecko/20040924

Description of problem:
As with bug #80783 I had been using machine names for firewall holes,
so as to avoid problems with dynamic/recycled IP addresses.  Whilst I
appreciate why this cannot work, it should be noted that an iptables
configuration like the one in "Additional Information" results in the
machine booting with NO firewall rules installed (i.e. the machine is
completely open) - this would not appear to be a safe failure mode,
for such a key security feature.

Version-Release number of selected component (if applicable):
iptables-1.2.8-12.3

How reproducible:
Always

Steps to Reproduce:
1. Create /etc/sysconfig/iptables which uses FQDNs for firewall holes,
as per "Additional Information"
2. Boot the machine (do not just restart iptables)
3. Run   iptables --list
    

Actual Results:  No iptables rules are implemented, iptable --list
returns :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
                                                                     
          
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
                                                                     
          
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Expected Results:  All bar the rule for the unresolvable FQDN should
be implemented, or (at the very least) the failure mode should be to
block all access, not to allow all access.

Additional info:

Example /etc/sysconfig/iptables (all addresses changed for security) :

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ENM-Local - [0:0]
:RH-Firewall-1-INPUT - [0:0]
# jump to ENM-Local rule set
-A INPUT -j ENM-Local
-A INPUT -j RH-Firewall-1-INPUT
# start of ENM-Local rule set
# start of Nessus recommended stuff
-A ENM-Local -p tcp -m tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags ALL ALL -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags ALL NONE -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT
-A ENM-Local -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
-A ENM-Local -p icmp -m icmp --icmp-type timestamp-request -s 0/0 -j
REJECT
-A ENM-Local -p icmp -m icmp --icmp-type timestamp-reply -s
192.168.1.152 -j REJECT
# end of Nessus recommended stuff
# start of RPC stuff for quota, etc
-A ENM-Local -p udp -m udp -s 192.168.1.102 --sport 111 -d 0/0 --dport
1025:65535 -j ACCEPT
-A ENM-Local -p udp -m udp -s 192.168.1.102 --sport 32700:34000 -d 0/0
--dport 1025:65535 -j ACCEPT
# end of RPC stuff
# start of ssh stuff
-A ENM-Local -p tcp -m tcp --dport 22 -s adminws.foo.com --sport
1025:65535 --syn -j ACCEPT
-A ENM-Local -p tcp -m tcp --dport 22 -s mylaptop.sales.foo.com
--sport 1025:65535 --syn -j ACCEPT
# end of ssh stuff
# end of ENM-Local rule set
# start of default firewall stuff
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.1.52 --sport 53 -d 0/0
--dport 1025:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp -s 192.168.2.33 --sport 53 -d 0/0
--dport 1025:65535 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Firewall-1-INPUT -p udp -m udp -j REJECT
# end of default firewall stuff
COMMIT
Comment 1 Thomas Woerner 2004-10-20 06:15:22 EDT
There will be a note in the System Admin Guide for RHEL4.

Closing "NOT A BUG".

Note You need to log in before you can comment on or make changes to this bug.