Re: iptables restart hangs
From: Nathaniel Hall (halln_at_otc.edu)
Date: Wed, 23 Feb 2005 09:34:24 -0600 To: For users of Fedora Core releases <firstname.lastname@example.org>
-----BEGIN PGP SIGNED MESSAGE-----
Aleksandar Milivojevic wrote:
| Bernd Radinger wrote:
|> in /etc/sysconfig/iptables-config change the configuration to:
|> I was told that fixes the problem
| It probably will, since he was hanging on module unload. It will also
| preserve connection tracking information. However, even with that
| option set, "iptables restart" will still flush all rules, set default
| policy to accept, and than start firewall from scratch (so you will be
| wide open for that small time window, enough for a packet or two to pass
| by, which is sometimes all it takes to brake into the machine). It is
| usually better to simply load new rules. And you can't use "iptables
| start" either, because it is doing the same thing (basically, "start"
| and "restart" are effectivly the same, with "restart" having an option
| to save fw rules before stopping the firewall).
| I've raised some concerns some time ago on bugzilla about iptables
| script and proposed (if I remember correctly) that either "start"
| shouldn't be unloading firewall rules, or that new option for "restart"
| be implemented (that would only load new rules). I was told that
| there's no value in doing that since time window is too small (not
| really, if firewall is under attack from inside and (inside) attacker
| can guess aprox. time when firewall is to be restarted), and to modify
| my local iptables scripts if I don't like the way it is currently done.
While the time to restart iptables is not very high, I do agree that
something should be added to the restart script. Would there really be
a huge problem with adding reload to the script? I know I usually have
a problem restarting a firewall through SSH when I am translating ports.
~ I ssh to a different port than 22, but prerouting rules translate it to
22. When I restart while using ssh, I get kicked out if it is a large
ruleset. If it is a small ruleset, I am fine. My only other option is
to be at the local console to restart iptables. If reload was an option
so that connections were not broken, that would help a lot.
Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
GPG Public Key ID: 0xAC187312
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
-----END PGP SIGNATURE-----
-- fedora-list mailing list email@example.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list