Bug 140305 - Firewall IPv4 only
Firewall IPv4 only
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
rawhide
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Chris Lumens
: Security
Depends On:
Blocks: 177950
  Show dependency treegraph
 
Reported: 2004-11-22 03:21 EST by Per Steinar Iversen
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-20 15:20:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Per Steinar Iversen 2004-11-22 03:21:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3)
Gecko/20041020

Description of problem:
system-config-securitylevel only configure IPv4 firewalls, IPv6 is
ignored. This means that services that is blocked by the IPv4 firewall
still can be reached through IPv6. This also applies to the initial
firewall setup by anaconda.

Version-Release number of selected component (if applicable):
system-config-securitylevel-1.4.14-1

How reproducible:
Always

Steps to Reproduce:
1. Configure a firewall through system-config-securitylevel
2. Activate the new setup.
3. There is no effect on IPv6.
    

Actual Results:  Firewall rules are only written to
/etc/sysconfig/iptables and not to /etc/sysconfig/ip6tables

Expected Results:  At least have these rules identical for the two
protocols or block everything by default for IPv6.

Additional info:
Comment 1 Chris Lumens 2006-05-02 13:07:14 EDT
Please test 1.6.19-1 in Rawhide and see how well it works for you.  It should
currently be performing exactly the same actions for IPv4 and IPv6, except for a
couple things that are not currently supported by the ip6tables code.
Comment 2 Per Steinar Iversen 2006-05-03 05:43:10 EDT
It seems to write IPv6 firewall rules now, however there is no warning if
iptables/ip6tables are not enabled or even installed.
Comment 3 Chris Lumens 2006-05-03 10:20:39 EDT
s-c-securitylevel will enable the ip6tables service and load the appropriate
module.  The rest can be solved by making it require iptables-ipv6.
Comment 4 Per Steinar Iversen 2006-05-03 15:14:24 EDT
Some further testing seems to show that state-tracking does not seem to work
with ip6tables: When making an outgoing IPv6 tcp connection the returning
packets are blocked. Incoming IPv6 connections to open services are blocked too
with the current script. This must be a bug in iptables-ipv6 and not
system-config-securitylevel though.

Note You need to log in before you can comment on or make changes to this bug.