Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 87585
Summary: | RH firewall tools should use stateful tracking | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Dax Kelson <dkelson> |
Component: | gnome-lokkit | Assignee: | Bill Nottingham <notting> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | high | Docs Contact: | |
Priority: | medium | ||
Version: | 9 | CC: | bill, ivo, mitr, rvokal |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2003-08-04 21:05:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 100643 | ||
Attachments: |
Description
Dax Kelson
2003-03-29 09:06:48 UTC
redhat-config-securitylevel calls lokkit to actually set the rules. Changing component to gnome-lokkit. I'm attaching a new patch implements a stateful rule set. The UI should be updated slightly, BUT it works right NOW with the existing UI (ie, there is no difference between medium and high). This SIMPLIFIES RHL quite a bit: ifup-post no longer needs to "punch holes" FIREWALLS_MODS in /etc/sysconfig files can be ditched RPC apps ala NIS/NFS "just work" Connections initiated by self "just work" I teach 2 or 3 Red Hat Linux classes each month and you would not believe the carnage that results from the current "default" medium that stops NFS and NIS from working. TODO: Change UI from: High/Medium/Off to On/Off Update anaconda Update initscripts Created attachment 93344 [details]
Patch to src/writer-linux-iptables.c to use stateful rules
I used rpmbuild -bc from gnome-lokkit-0.50-22.src.rpm to create a tree to patch
against.
Note on what the new rules accomplish: 1) Gives better security than "HIGH" before 2) No breakage on connections *initiated* by host (ie, all connections initated by host "just work" now) Created attachment 93348 [details]
Patch to /etc/sysconfig/network-scripts/ifup-post
ifup-post no longer needs to mess with the firewall
Created attachment 93349 [details]
Patch to /sbin/ifup -- no need to mess with FW rules with stateful lokkit
Note the initscripts bits have to stay; migrating FW configs on upgrades is a risky business. Fixed in redhat-config-securitylevel-1.2.0-1. |