Red Hat Enterprize Linux Server Default SELinux and Firewall Status/Config.

[tlos]

Hi there all,

I have a problem with our Red Hat Enterprize Linux Server in my university's lab. I was adding some ports to Firewall in order to reach to VNC server running on the server. These ports are 5900-5905, 5800-5804 tcp ports. I think I accidentally changed somethings that server cannot access to the Internet now. I checked static IP address, DNS address, default gateway, subnet mask but they all seemed correct. I rebooted the machine but there was no help. I restarted ethernet interfaces but that didnt solve the problem. I think I accidentally changed somethings with SELinux or Firewall. Would SELinux cause any Internet connection problems? I disabled the firewall, rebooted the server again, but still could not connect to Internet. I dont really know what to do. If anybody could give me any idea, I would be appreciative.

[Rubberman]

I don't suppose you backed up the system, or saved the firewall configuration before you did this work? If not, then you are pretty much on your own since we have no way to know what was what before you did what you did, and we also have no way to know exactly what you did either.

Anyway, before you do this sort of stuff on running systems, you REALLY need to know what you are doing, and you need to perform due dilligence with regard to backup of critical data and systems. If you did this in the commercial world, taking a critical server off-line for an extended period, you would probably be looking for a new job...

[tlos]

Hi,

Thanks a lot for your reply. You are right that I hadnt backedup any configuration. I didnt do anything else apart from adding some tcp ports(5804,5904) to firewall.

SELinux has three options as far as I know: permissive, enforcing, disabled. I'm just not sure which option was the default option and accidentally which option I changed it to using graphical user interface. That was why I was asking if you had any idea of default SELinux status/option and if changing SELinux option may cause Internet connection problems.

[Rubberman]

Yes, changing SELinux modes/options can easily disrupt internet access. It is not something to play with unless you know what you are doing. Side-effects are numerous and oft-times fatal, as you have discovered. If you can restore the system to the same state it was in before you tried to poke holes in the firewall, then it may work. However, as I tried to tell you, there isn't much we can do here since the range of issues is to broad to cover. It is time for you to dust off the SELinux and firewall documentation and start analyzing the problem. Try to understand EXACTLY what the impacts of your changes might be before you make them.

My process for performing these sort of changes.

1. Before any system changes, backup all critical files and/or system discs.
2. Before any system changes, review any critical settings in SELinux and firewall configuration files, making sure I know what ALL of them are.
3. Make changes in minimal stages, and verify that the system is still functioning as each change is made.
4. Record EXACTLY what changes were made and what configuration utilities (along with all command-line options used) were run for each stage. Also note what needs to be done before to roll back the change(s) BEFORE they are performed.
5. Once the system is changed over and all stages are complete, make a backup copy of the new configuration files and/or system disc(s).

Recovery and repeatability are key here, and the only way to do that is by applying rigorous engineering discipline to this work. It IS rocket science, but that only means that the engineer has to take full responsibility for his/her actions. The systems you are working on may be involved in critical research in health, safety, or other important areas, so try not to leave your users in the lurch! I say this as a software/systems engineer with 30 years experience in real-time, safety-critical, and large-scale high-availability distributed computer systems. When I work on a client's systems, servers, and networks, you can believe that I take all precautions to make sure that if I make a mistake, or something doesn't work as advertised, I can restore the system to it's original functionality prompty and effectively.