Bug 65993 - ifup-post and TCP DNS
ifup-post and TCP DNS
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: initscripts (Show other bugs)
7.3
i386 Linux
low Severity low
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
http://www.tldp.org/HOWTO/IPCHAINS-HO...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-06-04 15:11 EDT by Ville Skyttä
Modified: 2014-03-16 22:27 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-05 15:51:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2002-06-04 15:11:02 EDT
This is really low priority and I haven't been bitten by it, but just noticed 
that ifup-post only punches the incoming UDP DNS traffic through the local 
firewall, and the IPCHAINS-HOWTO has a small chapter related to outgoing TCP 
DNS connections [1]. 
 
Maybe it would be good to make ifup-post do something like: 
 
ipchains -I output -s 0/0 1024:65535 -d $nameserver/32 53 -p tcp -y -j ACCEPT 
 
...so DNS would also work in cases where there are some restrictions on 
outgoing traffic.  Maybe also the corresponding rule with source port 53, and 
the "-p tcp ! -y" input from these servers. 
 
[1] <URL:http://www.tldp.org/HOWTO/IPCHAINS-HOWTO-5.html#ss5.2>
Comment 1 Bill Nottingham 2005-04-05 15:51:30 EDT
Closing, stateful connection handling takes care of this.
Comment 2 Ville Skyttä 2005-04-05 16:49:25 EDT
Yes, if the default config allows outgoing TCP connections to the DNS server,
and incoming related "replies".  That's what I meant by "some restrictions on
outgoing traffic", IIRC.

No need to reopen though, as said this is a very low priority one, and people
should probably be taking care of it themselves if they place that restrictive
default rules.  Just confirming that I understood your point.

Note You need to log in before you can comment on or make changes to this bug.