Red Hat Bugzilla – Bug 36283
Redhat 7.1 firewalling uses IPChains rather then IPtables/netfilter
Last modified: 2007-04-18 12:32:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.18pre17 i686)
RedHat 7.1 includes a 2.4 kernel that appears to have all of the
netfilter/iptables modules compiled as well as the ipchains compatibility
In high security mode, the system nicely blocks everything coming in except
for selected services, and even intelgently queries resolv.conf to allow
the DNS servers.
Unfortuantly, this configuration is useless on most of my servers because
due to high-port blocking *I can not FTP OUT* with this enabled.
There is a simple, clean solution to this: Use iptables and enable FTP
connection tracking. While stateful systems are not desireable on network
infrastructure, they are totally harmless on end-nodes and do not represent
an additional point of failure.
RedHat 7.1 appears to have all the components to use iptables when
Is there a known stability problem with connection tracking, was this done
to improve 2.2 compatibility, or was this simply an oversight?
Steps to Reproduce:
1. Install RedHat 7.1
2. Enable high security and turn on ftp.
3. Attempt to FTP to varrious sites on the internet.
Actual Results: It doesn't work.
Expected Results: It should work.
See http://www.tempest.com.br/advisories/01-2001.html for the dangers of quite
new, stateful filtering code.
You can select the 'medium' level, it doesn't block the higher ports.
ipchains usage was specifically chosen for backwards compatibility.
There ought to be a way to setup a stateful firewall. It not desireable to open
up high ports for unrestricted access.