While firewalls have their uses, they can also be an obstacle for users.

I have been called out to customer sites a few times, only to find the problem was a software firewall blocking useful traffic.  Once, it was the Windows firewall blocking FTP, once it was Zone Alarm blocking SQL*Net, and a couple of times the Linux iptables firewall has been to blame.

Here is a recent example of a software firewall that was inappropriately configured:

We wanted to install Oracle on an Oracle Enterprise Linux server, and needed to use VNC to do so.  We started up vncserver on the Linux server and tried to connect to it with a VNC client from a Windows PC.  It didn’t work.

So… we started to investigate.

From the PC command prompt we tried telnet NN.NN.NN.NN 5901 .  This timed out.  Hmmmm… not a “Connection refused” so it appeared to be a firewall issue.  The PC’s Windows firewall already had a VNC exception, (part of the VNC client installation), but even turning it off didn’t make a difference.

Next, we checked that vncserver was running on the Linux box, and ran netstat -a to confirm that vncserver was listening on port 5901.  All was as expected.  At this point we suspected a physical firewall, but once that was ruled out, it only left a Linux software firewall.  The commands show how to confirm this and disable the firewall.  (Rather than to reconfigure it).

[root@akadevsrv01 ~]# /etc/init.d/iptables status
$Table: nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  192.168.122.0/24     0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
$Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
3    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67
5    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
2    ACCEPT     all  --  192.168.122.0/24     0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
6    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
11   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
12   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
13   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
[root@akadevsrv01 ~]# /etc/init.d/iptables stop
$Flushing firewall rules:                                  [$  OK  ]
$Setting chains to policy ACCEPT: nat filter               [$  OK  ]
$Unloading iptables modules:                               [$  OK  ]
[root@akadevsrv01 ~]# chkconfig iptables off
[root@akadevsrv01 ~]# /etc/init.d/iptables  status
$Firewall is stopped.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s