|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 07/30/2014 04:35 PM, Lloyd Brown wrote:
>
> On 07/30/2014 01:44 AM, Frank Kirschner wrote:
>> Lloyd,
>>
>> hmm, it's senseless doubled but please can you try out what
>> happens if you add on 1st line:
>>
>> # /sbin/iptables -I INPUT -m state --state
>> NEW,RELATED,ESTABLISHED -j ACCEPT # /sbin/service iptables save
>
>
> Frank,
>
> I can try it, but I'm not sure what you're expecting to see. I
> have a working setup, so without understanding what you're
> expecting to happen, I'm not sure what to look for.
>
> And there is already this one in the stock setup:
>
>> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> While it's not exactly the same, the only difference would be the
> "NEW" flag. I'm not sure what benefit that would be, other than
> accepting all new connections (if I'm understanding the flag
> correctly). While this would probably work for at least some of
> the stuff I'm doing, it seems excessively open. I could also flush
> all the tables (iptables -F), and get it working, but it doesn't
> mean I want to leave my server quite so open and unprotected.
>
>
>
>>
>> Do you have any OUTPUT rules in your iptables set?
>
> Nope. I've checked all 4 tables (raw, mangle, nat, filter) that I
> can find that have an OUTPUT chain, and there doesn't seem to be
> anything in any of them. I certainly hadn't done it on purpose,
> and it doesn't seem to be a part of the stock RHEL setup.
>
>
>> After disabeling SeLINUX do you have reboot the system?
>
> Yes. You do need to reboot to disable SELinux. And I did. And
> it didn't have any effect, as far as I could tell.
Hi, that is not entirely true. One can disable SELinux at runtime for
quite a while now:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sec-sel-enable-disable-enforcement.html
>> hope that helps, best regards Frank
Best,
Timo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlPZIlEACgkQuSPmkPhAW0pwXwD/WJRCKMDNTCylKtwYKjVHtxxI
YQpcfcfwzNObUM7z/c0A+wQrg0D4P7DXybx0pp/lRqXq5MQzSRIRz881XQjwmRob
=skUA
-----END PGP SIGNATURE-----
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
|
