Bug 72458 - ifup-post uses iptables -A to "punch hole through firewall" -- that doesn't work
ifup-post uses iptables -A to "punch hole through firewall" -- that doesn't work
Status: CLOSED RAWHIDE
Product: Red Hat Public Beta
Classification: Retired
Component: initscripts (Show other bugs)
null
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-08-23 18:20 EDT by ctm
Modified: 2014-03-16 22:30 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-08-23 18:20:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description ctm 2002-08-23 18:20:34 EDT
Description of Problem:
When the "most secure" firewall installation option is checked,
DNS doesn't work on a DHCP'd ethernet.

Version-Release number of selected component (if applicable):
initscripts-6.90-1

How Reproducible:
Very.

Steps to Reproduce:
1. Install null from scratch.
2. Chose the most secure of the firewall settings.
3. Configure ethernet as DHCP
4. Try to access something by name.

Actual Results:
timeout


Expected Results:
success

Additional Information:
It looks like the chain that you add -A to is already denying all UDP traffic,
so appending a rule that allows the DNS servers to send UDP packets doesn't do
anything useful.

It appears that changing "-A" to "-I" in
/etc/sysconfig/network-scripts/ifup-post fixes this problem.  There's also a
"-A" in /sbin/ifup.  I naively changed that from "-A" to "-I" on my first
attempt to solve the problem and that didn't help by itself, but I didn't bother
to change it back before I changed ifup-post.  I figure you guys know the
scripts much better than I do, so it makes more sense for you to find the
"right" fix.
Comment 1 Bill Nottingham 2002-08-27 01:53:18 EDT
This should be already fixed in 6.91-1 or later

Note You need to log in before you can comment on or make changes to this bug.