Bug 80783 - FQDNs don't work in /etc/sysconfig/iptables
FQDNs don't work in /etc/sysconfig/iptables
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: iptables (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-31 04:58 EST by Greg Pyhl
Modified: 2007-04-18 12:49 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-07-01 05:54:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Greg Pyhl 2002-12-31 04:58:43 EST
Description of problem:
If there are FQDNs in /etc/sysconfig/iptables, iptables won't start at boot time
because networking is not up and FQDNs cannot be resolved.

Version-Release number of selected component (if applicable):
All.

How reproducible:
Always.

Steps to Reproduce:
1. Add some rule include FQDN to /etc/sysconfig/iptables
2. Boot the machine
3.
    
Actual results:
iptables won't start.

Expected results:
iptables should start.

Additional info:
Solution: networking must be started before iptables during boot.
Comment 1 Michael Schwendt 2003-01-11 19:13:16 EST
> Solution: networking must be started before iptables during boot.

It's not that simple. That would be a security risc, putting the machine online
before the firewall is up.

I would suggest you resolve the FQDNs to their respective static IP address.
Comment 2 Greg Pyhl 2003-01-13 01:49:34 EST
While I agree that there's a theoretical security risk (the window of
opportunity is barely noticeable), FQDNs are sometimes very useful with services
like dyndns where the FQDN of a service is static but IP address changes from
time to time.

I've changed the starting order locally and think that it would be nice to see
this on official RHL, too, but I won't protest WONTFIX stamp either.
Comment 3 Dr Philip J Naylor 2004-10-14 04:46:35 EDT
Rather than switching the startup order, it would make more sense to
split the firewall configuration over two init scripts - one to close
everthing down, that runs before networking is initialised, and one to
open the holes, afterwards.  Whether this should be a feature of the OS,
or down to sensible system administration is a matter for debate.

Note You need to log in before you can comment on or make changes to this bug.