Re: iptables restart hangs

From: Aleksandar Milivojevic (amilivojevic_at_pbl.ca)
Date: 02/23/05

  • Next message: Peter Teuben: "Broadcom drivers works in rescue, but not regular boot...." 
    Date: Wed, 23 Feb 2005 08:35:44 -0600
To: For users of Fedora Core releases <fedora-list@redhat.com>

    Bernd Radinger wrote:
    > in /etc/sysconfig/iptables-config change the configuration to:
    >
    > IPTABLES_MODULES_UNLOAD="no"
    >
    > I was told that fixes the problem

    It probably will, since he was hanging on module unload. It will also
    preserve connection tracking information. However, even with that
    option set, "iptables restart" will still flush all rules, set default
    policy to accept, and than start firewall from scratch (so you will be
    wide open for that small time window, enough for a packet or two to pass
    by, which is sometimes all it takes to brake into the machine). It is
    usually better to simply load new rules. And you can't use "iptables
    start" either, because it is doing the same thing (basically, "start"
    and "restart" are effectivly the same, with "restart" having an option
    to save fw rules before stopping the firewall).

    I've raised some concerns some time ago on bugzilla about iptables
    script and proposed (if I remember correctly) that either "start"
    shouldn't be unloading firewall rules, or that new option for "restart"
    be implemented (that would only load new rules). I was told that
    there's no value in doing that since time window is too small (not
    really, if firewall is under attack from inside and (inside) attacker
    can guess aprox. time when firewall is to be restarted), and to modify
    my local iptables scripts if I don't like the way it is currently done. 

    -- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
-- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Peter Teuben: "Broadcom drivers works in rescue, but not regular boot...."

    Relevant Pages

    • Re: iptables restart hangs
      ... | option set, "iptables restart" will still flush all rules, set default ... And you can't use "iptables ... | to save fw rules before stopping the firewall). ... something should be added to the restart script. ...
      (Fedora)
    • Re: iptables restart hangs
      ... And you can't use "iptables ... > to save fw rules before stopping the firewall). ... > my local iptables scripts if I don't like the way it is currently done. ... to ACCEPT when 'restart' is called through the call to 'stop'. ...
      (Fedora)
    • Firewall problem: Only works on a restart.
      ... Machine A has two NICS, one of which is hooked to the cable modem and sees the outside world. ... Machine A implements the IPTABLES firewall with NAT. ... Ever since I upgraded to F10, I notice that Machine B can't see the outside world unless I restart the firewall. ...
      (Fedora)
    • Re: iptables has amnesia :-)
      ... iptables is the userland configuration utility for netfilter in the kernel. ... So, I guess my question becomes, when does the firewall stop or restart? ... I don't see what I could have done that cause d the firewall to stop/restart.... ...
      (Fedora)
    • Re: Feedback solicited - best way to harden a mail/web server?
      ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
      (comp.os.linux.security)