Menu
▾
▴
RE: [webmin-l] Firewall error
|
From: Jamie C. <jca...@we...> - 2006-03-20 19:15:29
|
Hi Dave,<br />You should be able to use the 'Reject with ICMP code' field to change the --reject-with option, or better still select the Default option to remove it altogether.<br /><br />=A0- Jamie<br /><br />On 20/Mar/2006 12:58 Dave Isaacs wrote .. <blockquote type=3D"cite"> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Actually, the problem is not *completely* beyond the scope of Webmin.</font></span></div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Everything in our iptables file is hunky-dory until, during our upgrade process, an=A0'server iptables save'=A0command is used.=A0 This command appears to append '--reject-with icmp-port-unreachable' to the end of any REJECT rules that do not have already have a=A0--reject-with argument.</font></span></div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Webmin, it appears, does not provide any way to edit this argument.=A0 When the rule is changed back to ACCEPT, it maintains the --reject-with argument even though it no longer applies.</font></span></div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">I guess this could be considered a Webmin bug, or maybe just a lack of functionality.</font></span></div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Any ideas for a work-around (beyond dropping the affected rules and recreating them manually)?</font></span></div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Thanks</font></span></div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div> <div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Dave I</font></span></div> <blockquote style=3D"margin-right: 0px;" dir=3D"ltr"> <div></div> <div lang=3D"en-us" align=3D"left" dir=3D"ltr" class=3D"OutlookMessageHeader"><font size=3D"2" face=3D"Tahoma">-----Original Message-----<br /><b>From:</b> web...@li... [mailto:web...@li...] <b>On Behalf Of </b>Dave Isaacs<br /><b>Sent:</b> Friday, March 17, 2006 4:52 PM<br /><b>To:</b> 'web...@li...'<br /><b>Subject:</b> RE: [webmin-l] Firewall error<br /><br /></font></div> <p><font size=3D"2">Let's see,</font> </p> <p><font size=3D"2">Line 42: -A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 25 --state NEW -j ACCEPT --reject-with icmp-port-unreachable</font></p> <p><font size=3D"2">I must say, that looks odd.=A0 I have no idea where that --reject-with came from.=A0 Looking at the Webmin Action Logs, the file diffs do NOT show that being added.</font></p> <p><font size=3D"2">Looks like tehre must be a problem beyond the scope of Webmin.</font> </p> <p><font size=3D"2">Thanks</font> </p> <p><font size=3D"2">Dave I</font> </p> <p><font size=3D"2">-----Original Message-----</font> <br /><font size=3D"2">From: web...@li... [<a href=3D"_unsafe_link_">mailto:web...@li...</a>] On Behalf Of Craig White</font></p> <p><font size=3D"2">Sent: Friday, March 17, 2006 4:44 PM</font> <br /><font size=3D"2">To: web...@li...</font> <br /><font size=3D"2">Subject: Re: [webmin-l] Firewall error</font> </p><br /> <p><font size=3D"2">On Fri, 2006-03-17 at 16:35 -0500, Dave Isaacs wrote:</font> <br /><font size=3D"2">> We have an issue here while performing an upgrade to our Red Hat EL3 </font><br /><font size=3D"2">> machine.</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> Before the upgrade, the Linux Firewall module is used to disable </font><br /><font size=3D"2">> access to port 25 (the existing Accept rule is set to Reject).</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> After the upgrade, when the Linux Firewall module is used to turn port </font><br /><font size=3D"2">> 25 back on (change the Reject to Accept), we get the following error:</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> </font><br /><font size=3D"2">> Failed to apply configuration :</font> <br /><font size=3D"2">> Flushing firewall rules: [=A0 OK=A0 ] </font><br /><font size=3D"2">> Setting chains to policy ACCEPT: filter mangle nat [=A0 OK=A0 ] </font><br /><font size=3D"2">> Unloading iptables modules: [=A0 OK=A0 ] </font><br /><font size=3D"2">> Applying iptables firewall rules: iptables-restore v1.2.8: Unknown arg</font> <br /><font size=3D"2">> `--reject-with' </font><br /><font size=3D"2">> Error occured at line: 42 </font><br /><font size=3D"2">> Try `iptables-restore -h' or 'iptables-restore --help' for more</font> <br /><font size=3D"2">> information. </font><br /><font size=3D"2">> [FAILED]</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> </font><br /><font size=3D"2">> Any idea what the problem might be?</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> BTW, part of the upgrade also upgrades Webmin from version 1.170 to </font><br /><font size=3D"2">> 1.250.</font> <br /><font size=3D"2">----</font> <br /><font size=3D"2">it would make sense to post the contents of line 42</font> <br /><font size=3D"2">in /etc/sysconfig/iptables</font> </p> <p><font size=3D"2">Craig</font> </p><br /><br /> <p><font size=3D"2">-------------------------------------------------------</font> <br /><font size=3D"2">This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! <a target=3D"_blank" href=3D"http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D121642">http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D121642</a></font></p> <p><font size=3D"2">-</font> <br /><font size=3D"2">Forwarded by the Webmin mailing list at web...@li...</font> <br /><font size=3D"2">To remove yourself from this list, go to <a target=3D"_blank" href=3D"http://lists.sourceforge.net/lists/listinfo/webadmin-list">http://lists.sourceforge.net/lists/listinfo/webadmin-list</a></font> </p></blockquote></blockquote><br /> |
