Bug 26010 - ipchains rules are overzealous
ipchains rules are overzealous
Status: CLOSED DUPLICATE of bug 25951
Product: Red Hat Linux
Classification: Retired
Component: anaconda (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2001-02-04 18:51 EST by Jay Berkenbilt
Modified: 2014-03-16 22:18 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-05 11:40:01 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jay Berkenbilt 2001-02-04 18:51:40 EST
During installation, I selected customized firewall security and explicitly
allowed telnet, ftp, and ssh.  (This is my home network which is behind a
firewall.  I figured that would be good enough as my real firewall accepts
only ssh...)  The result was the following /etc/sysconfig/ipchains:

:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 21 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 22 -p tcp -y -j ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -s 53 -d 0/0 -p udp -j ACCEPT
-A input -s 0/0 -d 0/0 -p tcp -y -j DENY
-A input -s 0/0 -d 0/0 -p udp -j DENY

With this configuration, a few things didn't work that should have
including kinit and nfs mounts.  (Neither nfs client nor server worked.)

It seems that rejecting all udp packets coming into the input chain is too
strict for most purposes.  If someone is going to mount file systems via
nfs, this is too tight.  Anyway, I'm very glad to see that the default
RedHat install is too tight rather than too loose.  This is the right way
to err.  However, maybe some refinement is still in order before the real
release, or at least being a little louder during installation about how to
deal with the kinds of problems that will likely occur.
Comment 1 Harald Hoyer 2001-02-05 06:46:17 EST
this is an installer bug ... sorry
Comment 2 Matt Wilson 2001-02-05 11:39:57 EST
assigned to notting.
Comment 3 Bill Nottingham 2001-02-05 15:44:46 EST

*** This bug has been marked as a duplicate of 25951 ***

Note You need to log in before you can comment on or make changes to this bug.