From Bugzilla Helper: User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.18pre17 i686) RedHat 7.1 includes a 2.4 kernel that appears to have all of the netfilter/iptables modules compiled as well as the ipchains compatibility module. In high security mode, the system nicely blocks everything coming in except for selected services, and even intelgently queries resolv.conf to allow the DNS servers. Unfortuantly, this configuration is useless on most of my servers because due to high-port blocking *I can not FTP OUT* with this enabled. There is a simple, clean solution to this: Use iptables and enable FTP connection tracking. While stateful systems are not desireable on network infrastructure, they are totally harmless on end-nodes and do not represent an additional point of failure. RedHat 7.1 appears to have all the components to use iptables when avaiable. Is there a known stability problem with connection tracking, was this done to improve 2.2 compatibility, or was this simply an oversight? Reproducible: Always Steps to Reproduce: 1. Install RedHat 7.1 2. Enable high security and turn on ftp. 3. Attempt to FTP to varrious sites on the internet. Actual Results: It doesn't work. Expected Results: It should work.
See http://www.tempest.com.br/advisories/01-2001.html for the dangers of quite new, stateful filtering code.
You can select the 'medium' level, it doesn't block the higher ports. ipchains usage was specifically chosen for backwards compatibility.
There ought to be a way to setup a stateful firewall. It not desireable to open up high ports for unrestricted access.