Default Hole In Firewall?

WilliamSmith · April 13, 2006, 3:53pm

I find I have to do:

Webmin
Networking
Linux Firewall
Chain RH-Firewall-1-INPUT
Add Rule
Comment: VirtualMin remote access
Accept
Protocol Equals TCP
Destination Port Equals 10000
Create
<Move new rule above "Reject always" rule>
Apply Configuration

In order to use VirtualMin from another machine, shouldn’t that happen by default during the installation?

Thanks!

WilliamSmith · April 13, 2006, 4:34pm

And another little buglet: When adding rules, you can’t put anything in the “Comment” field, or you’ll get a:

/*
Flushing firewall rules: [[ OK ]]
Setting chains to policy ACCEPT: nat mangle filter [[ OK ]]
Unloading iptables modules: [[ OK ]]
Applying iptables firewall rules: iptables-restore v1.2.11: Couldn’t load match `comment’:/lib/iptables/libipt_comment.so: cannot open shared object file: No such file or directory

Error occurred at line: 22
Try `iptables-restore -h’ or ‘iptables-restore --help’ for more information.
[[FAILED]]
*/

Error when you hit "Apply Configuration".

WilliamSmith · April 13, 2006, 4:42pm

Unless you go into ‘module config’ and set “# comments in save file”

[[Still can’t get a DNS-sized hole in the firewall, but that’s probably a rathole…]]

Joe · April 13, 2006, 11:53pm

Hey William,

Yes, I’m working on adding firewall configuration to the installer. It’s just not easily abstracted out, since SUSE uses a completely different configuration file than everyone else. But I expect the next release of the virtualmin-base will handle the Red Hat based systems, and I’ll work on SUSE whenever I get a chance.

I haven’t seen the comment issue before. I’m certain the default configuration has the comment syntax right on my systems, but maybe something broke in the latest version of two of Webmin.

ChrisBlackwell · April 14, 2006, 3:28pm

remember that DNS uses UDP 53, not TCP

Joe · April 14, 2006, 3:38pm

Hey Chris,

You’re quite right and the example firewall rules I posted in another thread William started cover UDP*. Though apparently there can also be TCP traffic known as DNS/TCP, so I always open it up–and I do find that it gets hit on every server I have that provides DNS service. I have no idea if my DNS servers actually provide TCP DNS service…but I do see TCP traffic.

*-That post is here:

http://www.virtualmin.com/forums/message-view?message_id=37489