Red Hat Bugzilla – Bug 29129
ipchains rules in ifup scripts break ipchains funtionality
Last modified: 2014-03-16 22:19:14 EDT
Ifup/ifdown scripts were modified to fix bug# 25951 . They now add
ipchains rules when brought up to allow connectivity to name servers.
However, this functionality clashes with typical ipchains usage.
For instance, if a user modifies the /etc/sysconfig/ipchains file, then
does 'service ipchains restart' the chains added for name resolution are
flushed & a user can no longer resolve dns names from a nameserver.
Also, if a user modifies the current ipchains rules and then does 'service
ipchains save' the rules that were only supposed to be set on a per device
basis are now set globally.
They should not do that, then.
If a user is directly modifying their /etc/sysconfig/ipchains, they should know
better than to firewall off their nameserver.
_SHOULD_ is the key word here... This change is not documented in any of the
man pages, how-to's, etc. If this is the only way to do it then user should be
notified via stdout that their ipchains rules are being modified as well.
We can add a warning to the top of the file that it's not really
We really cannot take care of users who don't know what they are
doing messing with the firewall config.
As of gnome-lokkit-0.43-6, it writes a warning at the top of the firewall
script about what ifup does.