iptables restart hangs
Nathaniel Hall
halln at otc.edu
Wed Feb 23 15:34:24 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aleksandar Milivojevic wrote:
| Bernd Radinger wrote:
|
|> in /etc/sysconfig/iptables-config change the configuration to:
|>
|> IPTABLES_MODULES_UNLOAD="no"
|>
|> I was told that fixes the problem
|
|
| It probably will, since he was hanging on module unload. It will also
| preserve connection tracking information. However, even with that
| option set, "iptables restart" will still flush all rules, set default
| policy to accept, and than start firewall from scratch (so you will be
| wide open for that small time window, enough for a packet or two to pass
| by, which is sometimes all it takes to brake into the machine). It is
| usually better to simply load new rules. And you can't use "iptables
| start" either, because it is doing the same thing (basically, "start"
| and "restart" are effectivly the same, with "restart" having an option
| to save fw rules before stopping the firewall).
|
| I've raised some concerns some time ago on bugzilla about iptables
| script and proposed (if I remember correctly) that either "start"
| shouldn't be unloading firewall rules, or that new option for "restart"
| be implemented (that would only load new rules). I was told that
| there's no value in doing that since time window is too small (not
| really, if firewall is under attack from inside and (inside) attacker
| can guess aprox. time when firewall is to be restarted), and to modify
| my local iptables scripts if I don't like the way it is currently done.
|
While the time to restart iptables is not very high, I do agree that
something should be added to the restart script. Would there really be
a huge problem with adding reload to the script? I know I usually have
a problem restarting a firewall through SSH when I am translating ports.
~ I ssh to a different port than 22, but prerouting rules translate it to
22. When I restart while using ssh, I get kicked out if it is a large
ruleset. If it is a small ruleset, I am fine. My only other option is
to be at the local console to restart iptables. If reload was an option
so that connections were not broken, that would help a lot.
- --
Nathaniel Hall, GSEC
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking
halln at otc.edu
417-447-7535
GPG Public Key ID: 0xAC187312
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
iD8DBQFCHKKAc+QrUawYcxIRAiqKAJ9VpAH8KagMAEOp10DZQt1DXVfafQCbBNck
oQLf+w3w9kgzpgVe+HVXNqI=
=hHGR
-----END PGP SIGNATURE-----
More information about the users
mailing list