Red Hat Bugzilla – Bug 138143
RFE: Avoid implicitly overwriting user customizations to the firewall (e.g. manual additions to /etc/sysconfig/iptables)
Last modified: 2008-05-05 08:15:57 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Description of problem:
system-config-securitylevel is quite a useful tool for getting started
with iptables. Its GUI generates a clean, usable configuration file
which provides excellent insight into iptables's configuration syntax.
However, it doesn't support the full range of functionality offered
by iptables (e.g. masquerading, IP blocking, etc.). Today, to get the
additional functionality your average user needs for a small office or
home network, she will scour the web looking for the Right config
snippets, modify them to her environment, and paste'em into her config
file. If system-config-securitylevel is later invoked again, those
necessary, hand-coded config snippets will be blown away.
The comment "Manual customization of this file is not recommended."
does indeed exist in the generated iptables configuration file,
hinting to users that an overwrite may occur. However, overwriting is
simply not desirable behavior.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run system-config-securitylevel and setup a firewall.
2. Add some additional lines to the /etc/sysconfig/iptables
configuration file generated by system-config-securitylevel.
3. Re-run system-config-securitylevel, making a minor change to the
firewall configuration setup in step #1.
Actual Results: Configuration lines manually added in step #2 have
disappeared. Any changes from step #3 exist as expected.
Expected Results: Lines in the config file not matching those
generated by system-config-securitylevel should be preserved. Since
the manual configuration has the possibly of interfering with the
tool-generated configuration, the tool's UI should indicate to the
users of that their file contains "unexpected" configuration.
Since this indication of manual customizations is useful regardless of
whether the contents of the file is modified or not (you do NOT want
to overwrite user customizations), I recommend a permanent flag in the
GUI (as opposed to a popup message), and possibly a no-op and warning
message from the text-based UI.
Other bug reports and enhancement requests noted that Firestarter
might be a useful tool to integrate to help with configuring the firewall.
Created attachment 106196 [details]
Sample iptables configuration file generated by system-config-securitylevel, then subsequently manually edited
Currently this is how s-c-securitylevel works, it assumes that it's in
Future work will enable better customisation see bug #124161 for
example. The correct fix here is to enable it so you can configure
what you need via gui/tui.
That's not really a reason _why_. And it sucks.
In bug #124161, Paul suggested that I re-open this bug as an
enhancement. Without this change, users lacking the non-obvious piece
of knowledge that "system-config-securitylevel assumes it's in
control" cannot make edits to /etc/sysconfig/iptables, nor use any
other related software which writes iptables' config file.
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
*** Bug 171947 has been marked as a duplicate of this bug. ***
*** Bug 173231 has been marked as a duplicate of this bug. ***
(In reply to comment #5)
> Fedora Core 2 is now maintained by the Fedora Legacy project for
> security updates only. If this problem is a security issue, please
> reopen and reassign to the Fedora Legacy product. If it is not a
> security issue and hasn't been resolved in the current FC3 updates or
> in the FC4 test release, reopen and change the version to match.
The bugs that have been marked duplicates of this bug were opened against FC4,
so there should not be a need to reopen the bug in those versions as they are
What is the status on this bug?
Waiting for some movement on bug 175947, which I made this one depend on a while
back. Getting that one done will give me a quick and easy way to take care of
This bug depends on bug 175947, but it's closed as 'not a bug'....
The next version will contain a potential fix for this issue - it will allow
specifying a custom rules file in the format of iptables-save that gets included
after all the default rules. The GUI and lokkit command line interfaces support
a method of setting this parameter, but the text UI currently does not (however,
it will not nuke the setting if you add it via the command line and then run the
Adding FutureFeature keyword to RFE's.
Please use the custom rules feature of system-config-firewall, which replaced
Closing as rawhide.