On 06/12/2007 12:33 AM, David Timms wrote: > Sjoerd Mullender wrote: >> I just discovered the checkmark with file selector "Use the custom rules >> file" in the Advanced Options tab of system-config-securitylevel (System >> -> Administration -> Firewall and SELinux). Is it me or is it totally >> useless? >> >> The blurb says that you can add additional rules to be added after the >> defaults. So the rules that you add are added after the rule >> >> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> which means that your extra rules are never actually used. All input >> packets have already been directed to the REJECT rule by the time the >> extra rules are seen. >> >> Or am I missing something here? >> >> If it's not me but the program, I'll bugzilla this. >> >> This is in Fedora7 and system-config-securitylevel-1.7.0-1.fc7. > So maybe you can iptables --list before and after you try it out, and > tell us where the rule gets inserted ? > > If it works correctly you could file a bug for the help text, if not > file a bug about it not working and why. > > DaveT. > Before: # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT 0 -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited # Then I checked the box and selected the file. Result afterward: # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT 0 -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (1 references) target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT 0 -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT 0 -- 192.168.244.0/24 anywhere # Note that the reject rule is before the new entry (I added a file with a single line -A RH-Firewall-1-INPUT -s 192.168.244.0/255.255.255.0 -i vmnet8 -j ACCEPT ) It may be clearer to look at the generated file /etc/sysconfig/iptables: # cat iptables # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A RH-Firewall-1-INPUT -s 192.168.244.0/255.255.255.0 -i vmnet8 -j ACCEPT COMMIT -- Sjoerd Mullender
