Menu
▾
▴
RE: [webmin-l] Firewall error
|
From: Jamie C. <jca...@we...> - 2006-03-21 17:36:15
|
Hi Dave,<br />There is no work-around at the moment, however I will fix this in a future release<br />of Webmin, by allowing the ICMP rejection type to be selected in custom chains.<br /><br />=A0- Jamie<br /><br />On 21/Mar/2006 06:44 Dave Isaacs wrote ..
<blockquote type=3D"cite">
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Jamie,</font></span></div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Is
there any way around the issue I described below?=A0 I don't understand why
the Firewall module works that way.</font></span></div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">At the
moment, our only solution is to drop the rule entirely and recreate it, or edit
iptables by hand.</font></span></div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Thanks</font></span></div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"082204312-21032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Dave
I</font></span></div>
<blockquote dir=3D"ltr" style=3D"margin-right: 0px;">
<div></div>
<div lang=3D"en-us" dir=3D"ltr" align=3D"left" class=3D"OutlookMessageHeader"><font size=3D"2" face=3D"Tahoma">-----Original Message-----<br /><b>From:</b>
web...@li...
[mailto:web...@li...] <b>On Behalf Of </b>Dave
Isaacs<br /><b>Sent:</b> Monday, March 20, 2006 3:08 PM<br /><b>To:</b>
'web...@li...'<br /><b>Subject:</b> RE: [webmin-l]
Firewall error<br /><br /></font></div>
<div><span class=3D"608360420-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Looking at the code, I see that the "Reject with ICMP code" field
appears for rules that are part of the chains INPUT, OUTPUT,
FORWARD.</font></span></div>
<div><span class=3D"608360420-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"608360420-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">The
rules in question are part of a custom chain named "NFS-Input", therefore the
"Reject with ICMP code" field does not appear.</font></span></div>
<div><span class=3D"608360420-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"608360420-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Dave
I</font></span></div>
<blockquote dir=3D"ltr" style=3D"margin-right: 0px;">
<div></div>
<div lang=3D"en-us" dir=3D"ltr" align=3D"left" class=3D"OutlookMessageHeader"><font size=3D"2" face=3D"Tahoma">-----Original Message-----<br /><b>From:</b>
web...@li...
[mailto:web...@li...] <b>On Behalf Of </b>Dave
Isaacs<br /><b>Sent:</b> Monday, March 20, 2006 2:46 PM<br /><b>To:</b>
'web...@li...'<br /><b>Subject:</b> RE: [webmin-l]
Firewall error<br /><br /></font></div>
<div><span class=3D"283134519-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">There is no such field that I can see.=A0 I this a new
field?=A0 I am using 1.250.</font></span></div>
<div><span class=3D"283134519-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"283134519-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Thanks</font></span></div>
<div><span class=3D"283134519-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"283134519-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Dave I</font></span></div>
<blockquote style=3D"margin-right: 0px;">
<div></div>
<div lang=3D"en-us" dir=3D"ltr" align=3D"left" class=3D"OutlookMessageHeader"><font size=3D"2" face=3D"Tahoma">-----Original Message-----<br /><b>From:</b>
web...@li...
[mailto:web...@li...] <b>On Behalf Of
</b>Jamie Cameron<br /><b>Sent:</b> Monday, March 20, 2006 1:30
PM<br /><b>To:</b> web...@li...<br /><b>Subject:</b>
RE: [webmin-l] Firewall error<br /><br /></font></div>Hi Dave,<br />You should
be able to use the 'Reject with ICMP code' field to change the
--reject-with option, or better still select the Default option to remove
it altogether.<br /><br />=A0- Jamie<br /><br />On 20/Mar/2006 12:58 Dave
Isaacs wrote ..
<blockquote type=3D"cite">
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Actually, the problem is not *completely* beyond the scope of
Webmin.</font></span></div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Everything in our iptables file is hunky-dory until, during our
upgrade process, an=A0'server iptables save'=A0command is
used.=A0 This command appears to append '--reject-with
icmp-port-unreachable' to the end of any REJECT rules that do not have
already have a=A0--reject-with argument.</font></span></div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Webmin, it appears, does not provide any way to edit this
argument.=A0 When the rule is changed back to ACCEPT, it maintains
the --reject-with argument even though it no longer
applies.</font></span></div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">I guess this could be considered a Webmin bug, or maybe just a
lack of functionality.</font></span></div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Any ideas for a work-around (beyond dropping the affected rules
and recreating them manually)?</font></span></div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Thanks</font></span></div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff"></font></span>=A0</div>
<div><span class=3D"363474418-20032006"><font size=3D"2" face=3D"Arial" color=3D"#0000ff">Dave I</font></span></div>
<blockquote dir=3D"ltr" style=3D"margin-right: 0px;">
<div></div>
<div lang=3D"en-us" dir=3D"ltr" align=3D"left" class=3D"OutlookMessageHeader"><font size=3D"2" face=3D"Tahoma">-----Original Message-----<br /><b>From:</b>
web...@li...
[mailto:web...@li...] <b>On Behalf Of
</b>Dave Isaacs<br /><b>Sent:</b> Friday, March 17, 2006 4:52
PM<br /><b>To:</b>
'web...@li...'<br /><b>Subject:</b> RE:
[webmin-l] Firewall error<br /><br /></font></div>
<p><font size=3D"2">Let's see,</font> </p>
<p><font size=3D"2">Line 42: -A RH-Firewall-1-INPUT -p tcp -m tcp -m state
--dport 25 --state NEW -j ACCEPT --reject-with
icmp-port-unreachable</font></p>
<p><font size=3D"2">I must say, that looks odd.=A0 I have no idea where
that --reject-with came from.=A0 Looking at the Webmin Action Logs,
the file diffs do NOT show that being added.</font></p>
<p><font size=3D"2">Looks like tehre must be a problem beyond the scope of
Webmin.</font> </p>
<p><font size=3D"2">Thanks</font> </p>
<p><font size=3D"2">Dave I</font> </p>
<p><font size=3D"2">-----Original Message-----</font> <br /><font size=3D"2">From: web...@li... [<a href=3D"_unsafe_link_">mailto:web...@li...</a>]
On Behalf Of Craig White</font></p>
<p><font size=3D"2">Sent: Friday, March 17, 2006 4:44 PM</font> <br /><font size=3D"2">To: web...@li...</font> <br /><font size=3D"2">Subject: Re: [webmin-l] Firewall error</font> </p><br />
<p><font size=3D"2">On Fri, 2006-03-17 at 16:35 -0500, Dave Isaacs
wrote:</font> <br /><font size=3D"2">> We have an issue here while
performing an upgrade to our Red Hat EL3 </font><br /><font size=3D"2">>
machine.</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">>
Before the upgrade, the Linux Firewall module is used to disable
</font><br /><font size=3D"2">> access to port 25 (the existing Accept
rule is set to Reject).</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> After the upgrade, when the Linux Firewall module is used
to turn port </font><br /><font size=3D"2">> 25 back on (change the
Reject to Accept), we get the following error:</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> </font><br /><font size=3D"2">>
Failed to apply configuration :</font> <br /><font size=3D"2">> Flushing
firewall rules: [=A0 OK=A0 ] </font><br /><font size=3D"2">>
Setting chains to policy ACCEPT: filter mangle nat [=A0 OK=A0 ]
</font><br /><font size=3D"2">> Unloading iptables modules: [=A0
OK=A0 ] </font><br /><font size=3D"2">> Applying iptables firewall
rules: iptables-restore v1.2.8: Unknown arg</font> <br /><font size=3D"2">> `--reject-with' </font><br /><font size=3D"2">> Error occured
at line: 42 </font><br /><font size=3D"2">> Try `iptables-restore -h' or
'iptables-restore --help' for more</font> <br /><font size=3D"2">>
information. </font><br /><font size=3D"2">> [FAILED]</font> <br /><font size=3D"2">> </font><br /><font size=3D"2">> </font><br /><font size=3D"2">>
Any idea what the problem might be?</font> <br /><font size=3D"2">>
</font><br /><font size=3D"2">> BTW, part of the upgrade also upgrades
Webmin from version 1.170 to </font><br /><font size=3D"2">>
1.250.</font> <br /><font size=3D"2">----</font> <br /><font size=3D"2">it would
make sense to post the contents of line 42</font> <br /><font size=3D"2">in
/etc/sysconfig/iptables</font> </p>
<p><font size=3D"2">Craig</font> </p><br /><br />
<p><font size=3D"2">-------------------------------------------------------</font>
<br /><font size=3D"2">This SF.Net email is sponsored by xPML, a
groundbreaking scripting language that extends applications into web
and mobile media. Attend the live webcast and join the prime developer
group breaking into this new coding territory! <a target=3D"_blank" href=3D"http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D121642">http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D121642</a></font></p>
<p><font size=3D"2">-</font> <br /><font size=3D"2">Forwarded by the Webmin
mailing list at web...@li...</font> <br /><font size=3D"2">To remove yourself from this list, go to <a target=3D"_blank" href=3D"http://lists.sourceforge.net/lists/listinfo/webadmin-list">http://lists.sourceforge.net/lists/listinfo/webadmin-list</a></font>
</p></blockquote></blockquote><br /></blockquote></blockquote></blockquote></blockquote><br />
|
