#2938 firewall rules cause adapter start to fail

Jamie Cameron
Denis Tonn

Webmin 1.3.70, Ubuntu server 7.10

1) Firewall rules created with DNS names instead of IP addresses as part of the compare conditions.
2) eth0 is set for static IP and automatically enabled.
3) DNS is external to the system, accessible through eth0.

This results in the creation of a rule similar to:
-A INPUT -s google.com -j ACCEPT
in /etc/iptables.up.rules

If you then change the firewall to "activate at boot", it will create a statement in /etc/network/interfaces
pre-up iptables-restore < /etc/iptables.up.rules
for eth0.

This leads to a catch 22 situation that will cause the adapter fail on reboot or network restart. The network startup code will attempt to run the iptables-restore which then fails because it is unable to do a dns lookup on the name "google.com". This failure is then propagated back up to the network startup code and the adapter is not marked enabled (up).

A quick fix is to change the pre-up to a post-up in /etc/network/interfaces and not "enable the firewall" through webmin any longer, but I suspect there is a better way to handle this. I know it will be messy..


  • Jamie Cameron
    Jamie Cameron

    Logged In: YES
    Originator: NO

    Looks like the proper Webmin solution here is to put the firewall activation in post-up instead of pre-up. I will change the module in the next Webmin release to do this ..

    That said, use of DNS names in firewall rules is not a good idea in the first place, as your DNS server may be down causing rules to be only partially applied (or not at all).

  • Jamie Cameron
    Jamie Cameron

    • status: open --> closed