[Bug 519526] New: Enhancement request: Add option in /etc/sysconfig/SuSEfirewall2 to disable NOTRACK on lo
http://bugzilla.novell.com/show_bug.cgi?id=519526
Summary: Enhancement request: Add option in
/etc/sysconfig/SuSEfirewall2 to disable NOTRACK on lo
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: All
OS/Version: openSUSE 11.1
Status: NEW
Severity: Enhancement
Priority: P5 - None
Component: Security
AssignedTo: security-team@suse.de
ReportedBy: opensuse@jeffshantz.com
QAContact: qa@suse.de
Found By: ---
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4)
Gecko/2008103100 SUSE/3.0.4-4.6 Firefox/3.0.4
I spoke with Ludwig Nussel about a problem I was having setting up a
transparent proxy. I set up Dansguardian (port 8080) and Squid (3128) and had
a few custom iptables rules in /etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j
ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j
ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
However, pages just kept loading forever when SuSEfirewall2 was enabled.
Ludwig suggested I disable the NOTRACK rules that are put on lo for performance
reasons. I did so, and pages loaded fine after this.
He suggested I submit a feature enhancement request asking that an option be
added to /etc/sysconfig/SuSEfirewall2 to allow a user to enable/disable the
NOTRACK rules.
Thank you.
Reproducible: Always
Steps to Reproduce:
1. Configure any proxy service on a given port
2. Turn on SuSEfirewall2
3. Redirect all requests on port 80 to that service using:
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports
http://bugzilla.novell.com/show_bug.cgi?id=519526
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=519526
User lnussel@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=519526#c1
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=519526
User jengelh@medozas.de added comment
http://bugzilla.novell.com/show_bug.cgi?id=519526#c2
Jan Engelhardt
http://bugzilla.novell.com/show_bug.cgi?id=519526
User opensuse@jeffshantz.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=519526#c3
--- Comment #3 from Jeff Shantz
http://bugzilla.novell.com/show_bug.cgi?id=519526
http://bugzilla.novell.com/show_bug.cgi?id=519526#c4
--- Comment #4 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com