Bug 27915 - Firewall config blocks DNS replys if DHCP checked on install
Firewall config blocks DNS replys if DHCP checked on install
Product: Red Hat Linux
Classification: Retired
Component: anaconda (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
Depends On:
  Show dependency treegraph
Reported: 2001-02-15 21:40 EST by Greg Corson
Modified: 2014-03-16 22:19 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-02-19 18:59:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Greg Corson 2001-02-15 21:40:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

When installing the system, I checked the "DHCP" option on the network 
card configuration page.  On the firewall page I selected "HIGH".  When 
the install was done the DHCP operated successfully and assigned all the 
network numbers right, but DNS lookups failed to work.  After quite a bit 
of messing around, discovered the firewall rules were blocking the DNS 
reply packets.

Reproducible: Didn't try
Steps to Reproduce:
1.select "DHCP" when installing network
2.select "high" when installing firewall

Actual Results:  System comes up and DHCP's properly, but firewall rules 
block the DNS reply packets, presumably because the installer didn't know 
the DNS server addresses at the time the installer was running.

Expected Results:  Firewall installer should either setup to allow all DNS 
reply packets come through, or there should be a re-write of the firewall 
rules everytime DHCP returns a new set of DNS server numbers.

My solution was to do use a static IP address and re-run lokkit which then 
re-wrote the firewall rules with explicit rules to allow my DNS servers to 
talk to me.

Lokkit seems to install explicit rules to allow DNS reply packets from 
specific IP numbers.  However, every time a machine does a DHCP it can 
potentially be assigned new DNS server addresses.  Because of this it 
seems you should have a module that re-writes the firewall DNS rules every 
time DHCP executes.  Otherwise, whenever a server address changes DNS 
lookups will be broken.

If you are unable to reproduce the problem please let me know and I will 
try doing a re-install (or whatever you suggest) to make it happen again.  
If you DO have something in the installer that DHCP's and trys to include 
DNS rules into the firewall, then it's possible the DHCP lookup failed for 
some reason during install, but succeeded on subsequent reboots.

P.S. Which firewall config tools in the RH distro still work correctly on 
the 2.4 kernal?  I tried several and they seemed to be unable to list the 
rules for my firewall.
Comment 1 Michael Fulbright 2001-02-16 09:56:13 EST
Assigning to a developer.
Comment 2 Bill Nottingham 2001-02-16 12:51:01 EST
This was fixed in initscripts-5.64 or so, along with pump-0.8.9-1.

Note You need to log in before you can comment on or make changes to this bug.