Bug 25951 - firewall is configured before the dhcp query for nameservers
firewall is configured before the dhcp query for nameservers
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
7.1
i386 Linux
high Severity high
: ---
: ---
Assigned To: Bill Nottingham
David Lawrence
:
: 25408 25490 25929 25936 26010 26114 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-02-04 00:47 EST by sandy
Modified: 2014-03-16 22:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-06 13:13:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description sandy 2001-02-04 00:47:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.0-0.99.11 i686)


The firewall is setup before the dhcp query for the
 DNS nameservers.  Therefore /etc/sysconfig/ipchains does not have any 
 permissions setup for the DNS namesevers.  Therefore the firewall
prohibits 

 (1) the host from resolving it's own DNS name from the nameservers

 (2) the host from resolving any other DNS name from the nameservers.

 I think you need to do the dhcp query before setting up the firewall
permissions
 during the boot.

 To work around the problem I have to use the Text Mode Setup Utility
"setup" 
 to (1) remove the firewall configuration, (2) configure the network, (3)
 configure
 the firewall again (I don't want to play with the init scripts).

Reproducible: Always
Steps to Reproduce:
1. install fisher
2. choose dhcp network setup 
3. choose firewall setup
	

Actual Results:  can not resolve DNS names after boot

Expected Results:  should be able to resolve DNS names after boot

refer to Bug # 25936
Comment 1 Tim Waugh 2001-02-05 05:27:34 EST
But if the host also requires DHCP, you need to check the 'DHCP' box too.  Does
that solve the problem?
Comment 2 Bill Nottingham 2001-02-05 10:59:28 EST

*** This bug has been marked as a duplicate of 25510 ***
Comment 3 Bill Nottingham 2001-02-05 10:59:43 EST
oops, wrong bug.
Comment 4 Bill Nottingham 2001-02-05 11:00:15 EST
*** Bug 25490 has been marked as a duplicate of this bug. ***
Comment 5 Bill Nottingham 2001-02-05 11:00:24 EST
*** Bug 25408 has been marked as a duplicate of this bug. ***
Comment 6 Bill Nottingham 2001-02-05 15:44:41 EST
*** Bug 26010 has been marked as a duplicate of this bug. ***
Comment 7 David Sainty 2001-02-05 18:03:31 EST
Selecting DHCP in the firewall configuration is only required if you are going
to run a DHCP server - not just if you're a client. (I tested this a couple of
times myself, and this is also what the docs say should be the case.)

The problem is that when RHL first installs (selecting DHCP for DNS allocation),
anaconda leaves the file as:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 -p udp -j DENY

and as a result DNS lookup won't work. If you re-run lokkit, and choose high
security after installation, assuming DHCP has allocated your DNS servers and
they have been recorded in /etc/resolv.conf you will now have appropriate DNS
entries, i.e.:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 1.2.3.4 53 -d 0/0 -p udp -j ACCEPT
-A input -s 1.2.3.5 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 -p udp -j DENY

We either need anaconda to be DNS aware, or we need the high security rules to
allow incoming 53 dns.

Two more important issues:

- Allocation of new dns servers (manually specified or via DHCP). I presume this
is not being properly catered for in our automated /etc/sysconfig/ipchains rules
and this is going to be a real problem for people.
- Another problem is lokkit does not wipe out the firewall rules it has put in
place, when you run it as root and select no firewall!!

I can test or provide any more information if necessary.
Comment 8 Bill Nottingham 2001-02-05 19:54:02 EST
*** Bug 25936 has been marked as a duplicate of this bug. ***
Comment 9 Bill Nottingham 2001-02-05 19:54:37 EST
*** Bug 25929 has been marked as a duplicate of this bug. ***
Comment 10 Bernhard Rosenkraenzer 2001-02-06 12:15:52 EST
*** Bug 26114 has been marked as a duplicate of this bug. ***
Comment 11 Chris Evans 2001-02-06 13:10:00 EST
Upping the priority and severity!
I hit this bigtime.
The installer pretty much directs you to selecting "High security"
firewall, which is great. The blurb at the left side of the dialog
claims that a high security setup will let in DNS and nothing else.
.
It lied.
.
I configured and brought up my modem dialup link. And it was hosed
due to blocked name resolution. :-(
Comment 12 Bill Nottingham 2001-02-06 13:13:39 EST
It doesn't exactly *lie*, it just lets in only the DNS that's configured
at install time. :)
Comment 13 Bill Nottingham 2001-02-06 18:24:08 EST
This should be fixed in initscripts-5.62-1.

Note You need to log in before you can comment on or make changes to this bug.