Default Hole In Firewall?

I find I have to do:

Linux Firewall
Chain RH-Firewall-1-INPUT
Add Rule
Comment: VirtualMin remote access
Protocol Equals TCP
Destination Port Equals 10000
<Move new rule above "Reject always" rule>
Apply Configuration

In order to use VirtualMin from another machine, shouldn’t that happen by default during the installation?


And another little buglet: When adding rules, you can’t put anything in the “Comment” field, or you’ll get a:

Flushing firewall rules: [[ OK ]]
Setting chains to policy ACCEPT: nat mangle filter [[ OK ]]
Unloading iptables modules: [[ OK ]]
Applying iptables firewall rules: iptables-restore v1.2.11: Couldn’t load match `comment’:/lib/iptables/ cannot open shared object file: No such file or directory

Error occurred at line: 22
Try `iptables-restore -h’ or ‘iptables-restore --help’ for more information.

Error when you hit "Apply Configuration".

Unless you go into ‘module config’ and set “# comments in save file”

[[Still can’t get a DNS-sized hole in the firewall, but that’s probably a rathole…]]

Hey William,

Yes, I’m working on adding firewall configuration to the installer. It’s just not easily abstracted out, since SUSE uses a completely different configuration file than everyone else. But I expect the next release of the virtualmin-base will handle the Red Hat based systems, and I’ll work on SUSE whenever I get a chance.

I haven’t seen the comment issue before. I’m certain the default configuration has the comment syntax right on my systems, but maybe something broke in the latest version of two of Webmin.

remember that DNS uses UDP 53, not TCP

Hey Chris,

You’re quite right and the example firewall rules I posted in another thread William started cover UDP*. Though apparently there can also be TCP traffic known as DNS/TCP, so I always open it up–and I do find that it gets hit on every server I have that provides DNS service. I have no idea if my DNS servers actually provide TCP DNS service…but I do see TCP traffic. :wink:

*-That post is here: