incoming ssh/sftp blocked by iptables

Fulko.Hew at sita.aero Fulko.Hew at sita.aero
Thu Apr 15 13:48:08 UTC 2004



Here is _my_ last comment on the issue of SSH blocked by iptables.


> I would think that the startup script for SSH should
> also punch a hole in iptables in a similar manner.
>
> Any comments before I Bugzilla it?


The issue apparently has been bugzilla'ed and resolved, but it is
more complicated than I had originally thought.

Let me go back in history to let you know why I was complaining
about was I was...

1/ When I installed test 2, I did not do an upgrade from test 1.
2/ During installation I selected 'no firewall' because I want/need
   unrestricted access within my local LAN and I have an external
   firewall to the rest of the world.
3/ Due to the massive problems with SELinux durring the first day
   of test 2, I disabled SELinux on my machine and left it that
   way.
4/ Apparently a bug in the way 'disabling SELinux' was handled,
   accidentally turned the firewall BACK ON.  (This bug was apparently
   fixed on Apr 8, but my machine had already been ''changed''
   by this bug and had the firewall enabled (without my knowledge))
5/ Now when I tried SSH I complained because I was being firewalled,
   even though I 'knew' I had disabled the firewall (how nieve).
6/ Then looking at NTP I saw a solution to a problem I didn't
   know I had... punching through firewalls.


In retrospect, this all needs to be re-tested when test 3 ISOs
come out.  To make sure that firewalls are indeed off when off
was selected, and stay off even when SELinix is disabled.

And... hopefully SELinux will be configured sufficiently so as not to
cause grief if left on.


In conclusion, I (probably) agree with others that say firewalls
shouldn't be punched through when applications are started

BUT

on the other hand, There should be sufficient warning to users/admins
to tell them that 'other' sub-systems may be preventing something
from working.

ie. without a lot of effort... how was _I_ supposed to know that
    the firewall had turned _itself_ back on?

These are the user/admin friendliness that everyone always aludes to.

In my case, unfortunately I don't know how/when to throw a message up
in the admins face to say:  'The system decided to re-configure itself
contrary to what you originally selected."







More information about the fedora-test-list mailing list