Bug 29129 - ipchains rules in ifup scripts break ipchains funtionality
Summary: ipchains rules in ifup scripts break ipchains funtionality
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: initscripts   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-02-23 20:14 UTC by Dan Taylor
Modified: 2014-03-17 02:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-02-23 21:05:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Dan Taylor 2001-02-23 20:14:54 UTC
Ifup/ifdown scripts were modified to fix bug# 25951 .  They now add 
ipchains rules when brought up to allow connectivity to name servers.  
However, this functionality clashes with typical ipchains usage.

For instance, if a user modifies the /etc/sysconfig/ipchains file, then 
does 'service ipchains restart' the chains added for name resolution are 
flushed & a user can no longer resolve dns names from a nameserver.  

Also, if a user modifies the current ipchains rules and then does 'service 
ipchains save' the rules that were only supposed to be set on a per device 
basis are now set globally.

Comment 1 Bill Nottingham 2001-02-23 20:21:41 UTC
They should not do that, then.

If a user is directly modifying their /etc/sysconfig/ipchains, they should know
better than to firewall off their nameserver.

Comment 2 Dan Taylor 2001-02-23 20:37:10 UTC
_SHOULD_ is the key word here...  This change is not documented in any of the 
man pages, how-to's, etc.  If this is the only way to do it then user should be 
notified via stdout that their ipchains rules are being modified as well.

Comment 3 Bill Nottingham 2001-02-23 21:05:12 UTC
We can add a warning to the top of the file that it's not really
user modifiable.

We really cannot take care of users who don't know what they are
doing messing with the firewall config.


Comment 4 Bill Nottingham 2001-03-02 22:20:33 UTC
As of gnome-lokkit-0.43-6, it writes a warning at the top of the firewall
script about what ifup does.


Note You need to log in before you can comment on or make changes to this bug.