Bug 35983 - firewall and ident service causes problems
firewall and ident service causes problems
Product: Red Hat Linux
Classification: Retired
Component: anaconda (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Brent Fox
Brock Organ
Depends On:
  Show dependency treegraph
Reported: 2001-04-15 17:56 EDT by Jeff Norden
Modified: 2007-03-26 23:43 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-16 00:42:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeff Norden 2001-04-15 17:56:06 EDT
The default firewall setup uses DENY to block most ports.  While this is
generally a good idea, it is bad for the remote IDENT service on port 113.

The result of "denying" this port is that *outgoing* ftp (and perhaps
other) connections can take a very long time to connect.  Attempting to
anonymously ftp to a locally connected linux box is very frustrating,
because the remote wu-ftpd "hangs up" while waiting for the IDENT
connection to time out.  This is easily solved by using REJECT instead of
DENY for this port.  Below is my current copy of /etc/sysconfig/ipchains, 
I added the two REJECT lines by hand and everything now works fine.

(On the other hand, the question of whether or not redhat boxes should
respond to IDENT requests by default is something to be considered.  There
are certainly arguments to be made both ways.)

$ cat /etc/sysconfig/ipchains
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 113 -j REJECT
-A input -p udp -s 0/0 -d 0/0 113 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j DENY
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j DENY
-A input -p udp -s 0/0 -d 0/0 0:1023 -j DENY
-A input -p udp -s 0/0 -d 0/0 2049 -j DENY
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j DENY
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j DENY
Comment 1 Brent Fox 2001-04-16 00:35:54 EDT
Bill, any ideas?
Comment 2 Bill Nottingham 2001-04-16 00:41:57 EDT
The current version uses REJECT rules.
Comment 3 Bill Nottingham 2001-04-16 00:42:38 EDT
(This should be in 0.43-5.)

Note You need to log in before you can comment on or make changes to this bug.