Bug 35983 - firewall and ident service causes problems
Summary: firewall and ident service causes problems
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: anaconda   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Brent Fox
QA Contact: Brock Organ
Depends On:
TreeView+ depends on / blocked
Reported: 2001-04-15 21:56 UTC by Jeff Norden
Modified: 2007-03-27 03:43 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-04-16 04:42:43 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jeff Norden 2001-04-15 21:56:06 UTC
The default firewall setup uses DENY to block most ports.  While this is
generally a good idea, it is bad for the remote IDENT service on port 113.

The result of "denying" this port is that *outgoing* ftp (and perhaps
other) connections can take a very long time to connect.  Attempting to
anonymously ftp to a locally connected linux box is very frustrating,
because the remote wu-ftpd "hangs up" while waiting for the IDENT
connection to time out.  This is easily solved by using REJECT instead of
DENY for this port.  Below is my current copy of /etc/sysconfig/ipchains, 
I added the two REJECT lines by hand and everything now works fine.

(On the other hand, the question of whether or not redhat boxes should
respond to IDENT requests by default is something to be considered.  There
are certainly arguments to be made both ways.)

$ cat /etc/sysconfig/ipchains
:input ACCEPT
:forward ACCEPT
:output ACCEPT
-A input -s 0/0 -d 0/0 -i lo -j ACCEPT
-A input -p tcp -s 0/0 -d 0/0 113 -j REJECT
-A input -p udp -s 0/0 -d 0/0 113 -j REJECT
-A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j DENY
-A input -p tcp -s 0/0 -d 0/0 2049 -y -j DENY
-A input -p udp -s 0/0 -d 0/0 0:1023 -j DENY
-A input -p udp -s 0/0 -d 0/0 2049 -j DENY
-A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j DENY
-A input -p tcp -s 0/0 -d 0/0 7100 -y -j DENY

Comment 1 Brent Fox 2001-04-16 04:35:54 UTC
Bill, any ideas?

Comment 2 Bill Nottingham 2001-04-16 04:41:57 UTC
The current version uses REJECT rules.

Comment 3 Bill Nottingham 2001-04-16 04:42:38 UTC
(This should be in 0.43-5.)

Note You need to log in before you can comment on or make changes to this bug.