Bug 36283 - Redhat 7.1 firewalling uses IPChains rather then IPtables/netfilter
Summary: Redhat 7.1 firewalling uses IPChains rather then IPtables/netfilter
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: firewall-config
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Harald Hoyer
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2001-04-17 15:49 UTC by Need Real Name
Modified: 2007-04-18 16:32 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2001-04-17 16:11:38 UTC

Attachments (Terms of Use)

Description Need Real Name 2001-04-17 15:49:18 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.18pre17 i686)

RedHat 7.1 includes a 2.4 kernel that appears to have all of the
netfilter/iptables modules compiled as well as the ipchains compatibility

In high security mode, the system nicely blocks everything coming in except
for selected services, and even intelgently queries resolv.conf to allow
the DNS servers.

Unfortuantly, this configuration is useless on most of my servers because
due to high-port blocking *I can not FTP OUT* with this enabled.

There is a simple, clean solution to this: Use iptables and enable FTP
connection tracking. While stateful systems are not desireable on network
infrastructure, they are totally harmless on end-nodes and do not represent
an additional point of failure.

RedHat 7.1 appears to have all the components to use iptables when

Is there a known stability problem with connection tracking, was this done
to improve 2.2 compatibility, or was this simply an oversight?

Reproducible: Always
Steps to Reproduce:
1. Install RedHat 7.1
2. Enable high security and turn on ftp.
3. Attempt to FTP to varrious sites on the internet.

Actual Results:  It doesn't work.

Expected Results:  It should work.

Comment 1 Daniel Roesen 2001-04-17 16:11:33 UTC
See http://www.tempest.com.br/advisories/01-2001.html for the dangers of quite
new, stateful filtering code.

Comment 2 Bill Nottingham 2001-04-17 18:14:25 UTC
You can select the 'medium' level, it doesn't block the higher ports.
ipchains usage was specifically chosen for backwards compatibility.

Comment 3 Mark Baysinger 2001-04-25 18:43:00 UTC
There ought to be a way to setup a stateful firewall. It not desireable to open 
up high ports for unrestricted access.

Note You need to log in before you can comment on or make changes to this bug.