Bug 72458 - ifup-post uses iptables -A to "punch hole through firewall" -- that doesn't work
Summary: ifup-post uses iptables -A to "punch hole through firewall" -- that doesn't work
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Public Beta
Classification: Retired
Component: initscripts
Version: null
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Brock Organ
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-08-23 22:20 UTC by ctm
Modified: 2014-03-17 02:30 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2002-08-23 22:20:41 UTC
Embargoed:


Attachments (Terms of Use)

Description ctm 2002-08-23 22:20:34 UTC
Description of Problem:
When the "most secure" firewall installation option is checked,
DNS doesn't work on a DHCP'd ethernet.

Version-Release number of selected component (if applicable):
initscripts-6.90-1

How Reproducible:
Very.

Steps to Reproduce:
1. Install null from scratch.
2. Chose the most secure of the firewall settings.
3. Configure ethernet as DHCP
4. Try to access something by name.

Actual Results:
timeout


Expected Results:
success

Additional Information:
It looks like the chain that you add -A to is already denying all UDP traffic,
so appending a rule that allows the DNS servers to send UDP packets doesn't do
anything useful.

It appears that changing "-A" to "-I" in
/etc/sysconfig/network-scripts/ifup-post fixes this problem.  There's also a
"-A" in /sbin/ifup.  I naively changed that from "-A" to "-I" on my first
attempt to solve the problem and that didn't help by itself, but I didn't bother
to change it back before I changed ifup-post.  I figure you guys know the
scripts much better than I do, so it makes more sense for you to find the
"right" fix.

Comment 1 Bill Nottingham 2002-08-27 05:53:18 UTC
This should be already fixed in 6.91-1 or later


Note You need to log in before you can comment on or make changes to this bug.