Bug 36283 - Redhat 7.1 firewalling uses IPChains rather then IPtables/netfilter
Redhat 7.1 firewalling uses IPChains rather then IPtables/netfilter
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: firewall-config (Show other bugs)
7.1
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Harald Hoyer
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-04-17 11:49 EDT by Need Real Name
Modified: 2007-04-18 12:32 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-04-17 12:11:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-04-17 11:49:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.18pre17 i686)


RedHat 7.1 includes a 2.4 kernel that appears to have all of the
netfilter/iptables modules compiled as well as the ipchains compatibility
module.  

In high security mode, the system nicely blocks everything coming in except
for selected services, and even intelgently queries resolv.conf to allow
the DNS servers.

Unfortuantly, this configuration is useless on most of my servers because
due to high-port blocking *I can not FTP OUT* with this enabled.

There is a simple, clean solution to this: Use iptables and enable FTP
connection tracking. While stateful systems are not desireable on network
infrastructure, they are totally harmless on end-nodes and do not represent
an additional point of failure.

RedHat 7.1 appears to have all the components to use iptables when
avaiable.  

Is there a known stability problem with connection tracking, was this done
to improve 2.2 compatibility, or was this simply an oversight?


Reproducible: Always
Steps to Reproduce:
1. Install RedHat 7.1
2. Enable high security and turn on ftp.
3. Attempt to FTP to varrious sites on the internet.
	

Actual Results:  It doesn't work.

Expected Results:  It should work.
Comment 1 Daniel Roesen 2001-04-17 12:11:33 EDT
See http://www.tempest.com.br/advisories/01-2001.html for the dangers of quite
new, stateful filtering code.
Comment 2 Bill Nottingham 2001-04-17 14:14:25 EDT
You can select the 'medium' level, it doesn't block the higher ports.
ipchains usage was specifically chosen for backwards compatibility.
Comment 3 Mark Baysinger 2001-04-25 14:43:00 EDT
There ought to be a way to setup a stateful firewall. It not desireable to open 
up high ports for unrestricted access.

Note You need to log in before you can comment on or make changes to this bug.