Default Hole In Firewall?

6 posts / 0 new
Last post
#1 Thu, 04/13/2006 - 10:53

Default Hole In Firewall?

I find I have to do:

Webmin Networking Linux Firewall Chain RH-Firewall-1-INPUT Add Rule Comment: VirtualMin remote access Accept Protocol Equals TCP Destination Port Equals 10000 Create <Move new rule above "Reject always" rule> Apply Configuration

In order to use VirtualMin from another machine, shouldn't that happen by default during the installation?


Thu, 04/13/2006 - 11:34

And another little buglet: When adding rules, you can't put anything in the &quot;Comment&quot; field, or you'll get a:

Flushing firewall rules: [[ OK ]]
Setting chains to policy ACCEPT: nat mangle filter [[ OK ]]
Unloading iptables modules: [[ OK ]]
Applying iptables firewall rules: iptables-restore v1.2.11: Couldn't load match `comment':/lib/iptables/ cannot open shared object file: No such file or directory

Error occurred at line: 22
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Error when you hit &quot;Apply Configuration&quot;.

Thu, 04/13/2006 - 11:42

Unless you go into 'module config' and set &quot;# comments in save file&quot;

[[Still can't get a DNS-sized hole in the firewall, but that's probably a rathole...]]

Thu, 04/13/2006 - 18:53
Joe's picture

Hey William,

Yes, I'm working on adding firewall configuration to the installer. It's just not easily abstracted out, since SUSE uses a completely different configuration file than everyone else. But I expect the next release of the virtualmin-base will handle the Red Hat based systems, and I'll work on SUSE whenever I get a chance.

I haven't seen the comment issue before. I'm certain the default configuration has the comment syntax right on my systems, but maybe something broke in the latest version of two of Webmin.


Check out the forum guidelines!

Fri, 04/14/2006 - 10:28

remember that DNS uses UDP 53, not TCP

Fri, 04/14/2006 - 10:38
Joe's picture

Hey Chris,

You're quite right and the example firewall rules I posted in another thread William started cover UDP*. Though apparently there can also be TCP traffic known as DNS/TCP, so I always open it up--and I do find that it gets hit on every server I have that provides DNS service. I have no idea if my DNS servers actually provide TCP DNS service...but I do see TCP traffic. ;-)

*-That post is here:


Check out the forum guidelines!

Topic locked