http://bugzilla.novell.com/show_bug.cgi?id=519526 Summary: Enhancement request: Add option in /etc/sysconfig/SuSEfirewall2 to disable NOTRACK on lo Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: All OS/Version: openSUSE 11.1 Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: opensuse@jeffshantz.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008103100 SUSE/3.0.4-4.6 Firefox/3.0.4 I spoke with Ludwig Nussel about a problem I was having setting up a transparent proxy. I set up Dansguardian (port 8080) and Squid (3128) and had a few custom iptables rules in /etc/sysconfig/scripts/SuSEfirewall2-custom: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080 However, pages just kept loading forever when SuSEfirewall2 was enabled. Ludwig suggested I disable the NOTRACK rules that are put on lo for performance reasons. I did so, and pages loaded fine after this. He suggested I submit a feature enhancement request asking that an option be added to /etc/sysconfig/SuSEfirewall2 to allow a user to enable/disable the NOTRACK rules. Thank you. Reproducible: Always Steps to Reproduce: 1. Configure any proxy service on a given port 2. Turn on SuSEfirewall2 3. Redirect all requests on port 80 to that service using: iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports <service_port> 4. Try loading a page -- nothing will load. 5. Disable the NOTRACK rules: iptables -t raw -F 6. Try loading a page, everything should now work. Actual Results: All pages now load properly (NAT works properly) after deleting the NOTRACK rules Expected Results: There should probably be an option in /etc/sysconfig/SuSEfirewall2 to remove the NOTRACK rules without having to delete them manually. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.