Bug 33421 - ipchains removes rules on shutdown
Summary: ipchains removes rules on shutdown
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: ipchains   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2001-03-27 16:56 UTC by Matthew Kirkwood
Modified: 2007-04-18 16:32 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-28 12:07:39 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Matthew Kirkwood 2001-03-27 16:56:31 UTC
The /etc/init.d/ipchains script flushes all rules on shutdown.  I suggest
that this is dangerous.  Recomended action: have it default-deny and flush
rules on shutdown.  Alternatively: have it do nothing on shutdown.

An "accept" action for the script should be added to do what the "stop" one
curently does.

Comment 1 Mike A. Harris 2001-05-11 04:06:39 UTC
The problem with that is that if someone wants to disable their firewall,
say to use the machine without a firewall at all, their machine is now
firewalled off completely.

I agree with what you are saying though, but any solution needs
to take every circumstance into consideration.  The ipchains script
on "stop" should put the system back into the state it was when
the script was started.  So perhaps we could have the rc.sysinit
set the default firewall policy first, and then ipchains script
would read that setting and act appropriately.  Unfortunately,
doing this by default would kill DHCP completely and possibly other
things too.

Feel free to add more thoughts to help try to come up with an adequate

Comment 2 Matthew Kirkwood 2001-05-20 17:05:07 UTC
It might suffice just to desist from flushing the rules at shutdown.  It could
check for $CONFIRM if there isn't already a better way to do this.

Comment 3 Mike A. Harris 2001-10-30 07:19:47 UTC
Defering for future consideration.

Comment 4 Mike A. Harris 2002-01-28 12:10:00 UTC
I've decided against this enhancement as I dont believe it
is a good idea for the general case.

Note You need to log in before you can comment on or make changes to this bug.