March 29th, 2002, 02:03 PM
ipchains SYN flag : outgoing requests
I run a machine with RedHat 7.1 on my school's network with a firewall script I wrote in bash for ipchains.
The machine cannot make outgoing connections (for example: the web browser cannot connect to an external web server) because of the -y SYN flag. I talked with one of my professors about a month ago, and we read through the LDP pages and fixed the problem. Unfortunately, all I did was append the chain from the bash prompt, I didn't update my script. A few weeks ago, I accidentally rebooted my machine while switching between Gnome and KDE. When my firewall script went back into effect, the outgoing connections were again blocked.
I have spent the past hour RTFM and STFW, and trying to brute force the -y flag to make it work, but all to result in failure.
I don't filter outgoing traffic at all. The solution to this problem revolves entirely around the -y flag in one of the firewall chains. The examples I've found in LDP (kernel.org/LDP) and from google haven't helped.
Does anyone have any suggestions or know how to remedy this?
Two things have come out of Berkeley, Unix and LSD.
It is uncertain which caused the other.
March 29th, 2002, 04:39 PM
First off I don't know anything about ipchains/iptables.
ipchains, being a stateless packet filter, is not smart enough to track packet state, thus whatever flags you set is really useless, because it doesn't know how to keep state, say on SYN flag.
That said, you should not reject anything based on any flag in TCP packet.
Imagine the following ruleset in ipfilter:
pass out quick all
block in quick proto tcp all flags S
pass in quick proto tcp all
block in quick all
This really blocks all inbound tcp because of the required flags S. Although the next rule allows inbound tcp but the quick rule in 2nd rule tells ipfilter to stop further processing.
BTW, iptables is stateful, so you really should switch to iptables instead.