Red Hat Bugzilla – Bug 72458
ifup-post uses iptables -A to "punch hole through firewall" -- that doesn't work
Last modified: 2014-03-16 22:30:24 EDT
Description of Problem: When the "most secure" firewall installation option is checked, DNS doesn't work on a DHCP'd ethernet. Version-Release number of selected component (if applicable): initscripts-6.90-1 How Reproducible: Very. Steps to Reproduce: 1. Install null from scratch. 2. Chose the most secure of the firewall settings. 3. Configure ethernet as DHCP 4. Try to access something by name. Actual Results: timeout Expected Results: success Additional Information: It looks like the chain that you add -A to is already denying all UDP traffic, so appending a rule that allows the DNS servers to send UDP packets doesn't do anything useful. It appears that changing "-A" to "-I" in /etc/sysconfig/network-scripts/ifup-post fixes this problem. There's also a "-A" in /sbin/ifup. I naively changed that from "-A" to "-I" on my first attempt to solve the problem and that didn't help by itself, but I didn't bother to change it back before I changed ifup-post. I figure you guys know the scripts much better than I do, so it makes more sense for you to find the "right" fix.
This should be already fixed in 6.91-1 or later