Red Hat Bugzilla – Bug 27915
Firewall config blocks DNS replys if DHCP checked on install
Last modified: 2014-03-16 22:19:04 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
When installing the system, I checked the "DHCP" option on the network
card configuration page. On the firewall page I selected "HIGH". When
the install was done the DHCP operated successfully and assigned all the
network numbers right, but DNS lookups failed to work. After quite a bit
of messing around, discovered the firewall rules were blocking the DNS
Reproducible: Didn't try
Steps to Reproduce:
1.select "DHCP" when installing network
2.select "high" when installing firewall
Actual Results: System comes up and DHCP's properly, but firewall rules
block the DNS reply packets, presumably because the installer didn't know
the DNS server addresses at the time the installer was running.
Expected Results: Firewall installer should either setup to allow all DNS
reply packets come through, or there should be a re-write of the firewall
rules everytime DHCP returns a new set of DNS server numbers.
My solution was to do use a static IP address and re-run lokkit which then
re-wrote the firewall rules with explicit rules to allow my DNS servers to
talk to me.
Lokkit seems to install explicit rules to allow DNS reply packets from
specific IP numbers. However, every time a machine does a DHCP it can
potentially be assigned new DNS server addresses. Because of this it
seems you should have a module that re-writes the firewall DNS rules every
time DHCP executes. Otherwise, whenever a server address changes DNS
lookups will be broken.
If you are unable to reproduce the problem please let me know and I will
try doing a re-install (or whatever you suggest) to make it happen again.
If you DO have something in the installer that DHCP's and trys to include
DNS rules into the firewall, then it's possible the DHCP lookup failed for
some reason during install, but succeeded on subsequent reboots.
P.S. Which firewall config tools in the RH distro still work correctly on
the 2.4 kernal? I tried several and they seemed to be unable to list the
rules for my firewall.
Assigning to a developer.
This was fixed in initscripts-5.64 or so, along with pump-0.8.9-1.