Bug 63497 - bug in firewall punch-through when rule already exists
bug in firewall punch-through when rule already exists
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
7.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-04-14 22:06 EDT by Dan Morrill
Modified: 2014-03-16 22:26 EDT (History)
1 user (show)

See Also:
Fixed In Version: FC3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-29 15:47:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dan Morrill 2002-04-14 22:06:02 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901

Description of problem:
/etc/sysconfig/network-scripts/ifup-post, among other things, adds rules to let
the DNS servers specified in /etc/resolv.conf "punch through" the firewall.  As
part of a sanity check, the script parses the output of an ipchains -L -n to see
if the rules already exist.  If they do, then the code snippet does nothing.

However, the check is a little bit naive, because it looks for ANY rule in
ipchains, not just DNS-related rules.  In my case, I have my firewall (which is
also the DNS server) doing syslog to an internal RHL 7.2 box, so I had to add a
rule to /etc/sysconfig/ipchains to allow this.  However, that rule is firing the
sanity check just described, and so that script block does nothing.  Therefore,
I never get the DNS punch-through rules added.  This is the behavior of
ifup-post in RHL 7.2.  I haven't tried skipjack yet but I assume it's true
there, too.

The diff below is a simple fix.

--- /etc/sysconfig/network-scripts/ifup-post.orig       Sun Apr 14 21:52:09
2002+++ /etc/sysconfig/network-scripts/ifup-post    Sun Apr 14 21:52:44 2002
@@ -90,7 +90,7 @@
        ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf`
        if [ -n "$ns" ]; then
                for nameserver in $ns ; do
-                       if ! ipchains -L input -n | grep -q $nameserver ; then
+                       if ! ipchains -L input -n | grep domain | grep -q
$nameserver ; then
                                ipchains -I input -s $nameserver/32 53 -d 0/0
1025:65535 -p udp -j ACCEPT
                                [ -x /usr/bin/logger ] && logger $"punching
nameserver $nameserver through the firewall"


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.  add a rule for the DNS server manually (e.g. for syslog)
2.  service network restart
 

Actual Results:  DNS punch-through rules didn't get added

Expected Results:  DNS punch-through rules should have been added

Additional info:

Simple fix:  added a "| grep domain" element to the pipe chain.  I can show you
my /etc/sysconfig/ipchains if you care but it's trivial.
Comment 1 Dan Morrill 2002-04-14 22:15:19 EDT
Oops, forgot a step to reproduce:

1.  Add an ipchains rule (e.g. for syslog)
2.  service ipchains restart
3.  service network restart
Comment 2 Dan Morrill 2002-04-14 22:28:19 EDT
Oops, bug in the diff.  Disregard previous diff, use this one.

--- /etc/sysconfig/network-scripts/ifup-post.orig       Sun Apr 14 21:52:09
2002+++ /etc/sysconfig/network-scripts/ifup-post    Sun Apr 14 22:25:06 2002
@@ -90,7 +90,7 @@
        ns=`awk '/^nameserver / { print $2 }' /etc/resolv.conf`
        if [ -n "$ns" ]; then
                for nameserver in $ns ; do
-                       if ! ipchains -L input -n | grep -q $nameserver ; then
+                       if ! ipchains -L input -n | grep "\<53\>" | grep -q
$nameserver ; then
                                ipchains -I input -s $nameserver/32 53 -d 0/0
1025:65535 -p udp -j ACCEPT
                                [ -x /usr/bin/logger ] && logger $"punching
nameserver $nameserver through the firewall"
Comment 3 Dan Morrill 2002-04-30 17:35:51 EDT
Any progress on this?  I'm writing a book and need to know if this will be
resolved or not in 7.3. :)

(Not that it matters either way -- you can make a case for NOTABUG;  I'd just
like to know if it's going to be fixed.)
Comment 4 Bill Nottingham 2002-06-12 02:57:40 EDT
Whoops, sorry, no it wasn't fixed in 7.3.
Comment 5 Dan Morrill 2002-08-21 23:54:54 EDT
I was looking at ifup-post in null, and it looks like this fix for DNS
punch-throughs didn't make it in, though the file was converted to use iptables.
 (Unless I'm mistaken of course -- I haven't tested this yet, but it looks like
it'll have the same problem as 7.2/7.3.)

Just a reminder... :)
Comment 6 Bill Nottingham 2005-09-29 15:47:53 EDT
Closing bugs on older, no longer supported, releases. Apologies for any lack of
response.

Current releases no longer use this code, so it's unlikely changes will be made
to previous releases.

Note You need to log in before you can comment on or make changes to this bug.