Bug 80783 - FQDNs don't work in /etc/sysconfig/iptables
Summary: FQDNs don't work in /etc/sysconfig/iptables
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: iptables
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2002-12-31 09:58 UTC by Greg Pyhl
Modified: 2007-04-18 16:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2003-07-01 09:54:39 UTC

Attachments (Terms of Use)

Description Greg Pyhl 2002-12-31 09:58:43 UTC
Description of problem:
If there are FQDNs in /etc/sysconfig/iptables, iptables won't start at boot time
because networking is not up and FQDNs cannot be resolved.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Add some rule include FQDN to /etc/sysconfig/iptables
2. Boot the machine
Actual results:
iptables won't start.

Expected results:
iptables should start.

Additional info:
Solution: networking must be started before iptables during boot.

Comment 1 Michael Schwendt 2003-01-12 00:13:16 UTC
> Solution: networking must be started before iptables during boot.

It's not that simple. That would be a security risc, putting the machine online
before the firewall is up.

I would suggest you resolve the FQDNs to their respective static IP address.

Comment 2 Greg Pyhl 2003-01-13 06:49:34 UTC
While I agree that there's a theoretical security risk (the window of
opportunity is barely noticeable), FQDNs are sometimes very useful with services
like dyndns where the FQDN of a service is static but IP address changes from
time to time.

I've changed the starting order locally and think that it would be nice to see
this on official RHL, too, but I won't protest WONTFIX stamp either.

Comment 3 Dr Philip J Naylor 2004-10-14 08:46:35 UTC
Rather than switching the startup order, it would make more sense to
split the firewall configuration over two init scripts - one to close
everthing down, that runs before networking is initialised, and one to
open the holes, afterwards.  Whether this should be a feature of the OS,
or down to sensible system administration is a matter for debate.

Note You need to log in before you can comment on or make changes to this bug.