Bug 26010 - ipchains rules are overzealous
Summary: ipchains rules are overzealous
Status: CLOSED DUPLICATE of bug 25951
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: anaconda (Show other bugs)
(Show other bugs)
Version: 7.1
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-04 23:51 UTC by Jay Berkenbilt
Modified: 2014-03-17 02:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-05 16:40:01 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jay Berkenbilt 2001-02-04 23:51:40 UTC
During installation, I selected customized firewall security and explicitly
allowed telnet, ftp, and ssh.  (This is my home network which is behind a
firewall.  I figured that would be good enough as my real firewall accepts
only ssh...)  The result was the following /etc/sysconfig/ipchains:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 10.160.59.1 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 -p udp -j DENY

With this configuration, a few things didn't work that should have
including kinit and nfs mounts.  (Neither nfs client nor server worked.)

It seems that rejecting all udp packets coming into the input chain is too
strict for most purposes.  If someone is going to mount file systems via
nfs, this is too tight.  Anyway, I'm very glad to see that the default
RedHat install is too tight rather than too loose.  This is the right way
to err.  However, maybe some refinement is still in order before the real
release, or at least being a little louder during installation about how to
deal with the kinds of problems that will likely occur.

Comment 1 Harald Hoyer 2001-02-05 11:46:17 UTC
this is an installer bug ... sorry


Comment 2 Matt Wilson 2001-02-05 16:39:57 UTC
assigned to notting.


Comment 3 Bill Nottingham 2001-02-05 20:44:46 UTC

*** This bug has been marked as a duplicate of 25951 ***


Note You need to log in before you can comment on or make changes to this bug.