164187 – Unable to configure port range in Other Ports

Bug 164187 - Unable to configure port range in Other Ports

Summary: Unable to configure port range in Other Ports

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	system-config-securitylevel
Sub Component:
Version:	4
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Chris Lumens
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-25 20:10 UTC by John Griffiths
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-12-02 18:51:02 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description John Griffiths 2005-07-25 20:10:52 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
I used /usr/bin/system-config-securitylevel and tried to open a port range using 6881-6999:tcp. system-config-securitylevel accepted the command, but when I checked it, only port 6881:tcp was opened. Am I missing something? I looked for a man page or help for system-config-securitylevel and couldn't find one. I did a google search for system-config-securitylevel and "port range" and got some stuff on ftp but nothing on actually opening a range.


Version-Release number of selected component (if applicable):
system-config-securitylevel-1.5.8.1-1

How reproducible:
Always

Steps to Reproduce:
1.run system-config-securitylevel
2.Enter a port range to open in "Other ports", i.e., 6881-6999:tcp
3.Exit
4.run system-config-securitylevel
5.Only first port shows in "Other ports", i.e., 6881:tcp
  

Actual Results:  Only first port shows in "Other ports", i.e., 6881:tcp

Expected Results:  A port range should have been created.

Additional info:

This makes it impossible to participate in a bittorent community.

Comment 1 Chris Lumens 2005-08-03 14:34:58 UTC

No, you're not missing anything.  s-c-securitylevel doesn't currently support
adding ranges.

Comment 2 John Griffiths 2005-08-03 16:01:37 UTC

The option -dport will accept a range according to the man page for iptables. If
I hand edit the /etc/sysconfig/iptables file to specify a range, will the
firewall accept it?

Comment 3 John Griffiths 2005-08-03 16:10:03 UTC

Answered my own question. Tried it. iptables -L lists the rule so it appears
this works. Of course now I cannot use system-config-securitylevel or it will
overwrite the rule and drop the port range.

Comment 4 John Griffiths 2005-08-03 19:07:27 UTC

Further comment. I can still use system-config-securitylevel to change SELinux
enforcing without rewriting the /etc/sysconfig/iptables file. I cannot change
the firewall ports or the iptables file is overwritten.

Seems this might be a fairly simple enhancement. system-config-securitylevel
will already accept ip-ip:tcp as a iprange on the "other ports" section. It just
does not parse and write the range. The output of system-config-securitylevel
could process the string before the : as it currently does and substitute a
colon for the dash since the format for a range is 

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6881:6999 -j
ACCEPT

Just a thought.

Note You need to log in before you can comment on or make changes to this bug.