Bug 33421 - ipchains removes rules on shutdown
ipchains removes rules on shutdown
Product: Red Hat Linux
Classification: Retired
Component: ipchains (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Mike A. Harris
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2001-03-27 11:56 EST by Matthew Kirkwood
Modified: 2007-04-18 12:32 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-01-28 07:07:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Matthew Kirkwood 2001-03-27 11:56:31 EST
The /etc/init.d/ipchains script flushes all rules on shutdown.  I suggest
that this is dangerous.  Recomended action: have it default-deny and flush
rules on shutdown.  Alternatively: have it do nothing on shutdown.

An "accept" action for the script should be added to do what the "stop" one
curently does.
Comment 1 Mike A. Harris 2001-05-11 00:06:39 EDT
The problem with that is that if someone wants to disable their firewall,
say to use the machine without a firewall at all, their machine is now
firewalled off completely.

I agree with what you are saying though, but any solution needs
to take every circumstance into consideration.  The ipchains script
on "stop" should put the system back into the state it was when
the script was started.  So perhaps we could have the rc.sysinit
set the default firewall policy first, and then ipchains script
would read that setting and act appropriately.  Unfortunately,
doing this by default would kill DHCP completely and possibly other
things too.

Feel free to add more thoughts to help try to come up with an adequate
Comment 2 Matthew Kirkwood 2001-05-20 13:05:07 EDT
It might suffice just to desist from flushing the rules at shutdown.  It could
check for $CONFIRM if there isn't already a better way to do this.
Comment 3 Mike A. Harris 2001-10-30 02:19:47 EST
Defering for future consideration.
Comment 4 Mike A. Harris 2002-01-28 07:10:00 EST
I've decided against this enhancement as I dont believe it
is a good idea for the general case.

Note You need to log in before you can comment on or make changes to this bug.