Bug 149189

Summary: mDNSResponder rule is on even though howl package is not installed
Product: Red Hat Enterprise Linux 4 Reporter: Harry Sutton <harry.sutton>
Component: system-config-securitylevelAssignee: Thomas Woerner <twoerner>
Status: CLOSED CANTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: alexl, k.georgiou, nobody+pnasrat
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-06 13:52:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 177950    

Description Harry Sutton 2005-02-20 17:23:09 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
The output of 'iptables -L -v' includes this line:

0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353

This is enabled by default despite the absence of the howl package (this is RHEL 4 Workstation). Best practice security recommendation is to close any unused ports; if I'm not using Zeroconf (howl) in my network, this port should not be opened on my firewall by default.

Version-Release number of selected component (if applicable):
iptables-1.2.11-3.1.RHEL4

How reproducible:
Always

Steps to Reproduce:
1. Boot the system
2. Verify the absence of howl (rpm -qa | grep howl)
3. Verify the open port with 'iptables -L -v'
  

Actual Results:  As described in the 'Description' field above

Expected Results:  The iptables output should not include this open port

Additional info:
Comment 1 Thomas Woerner 2005-02-21 10:55:48 UTC 
Assigning to anaconda.
Comment 2 Chris Lumens 2005-11-01 16:11:52 UTC 
This is because lokkit (the program that comes with s-c-securitylevel
responsible for writing out all the iptables-related files) has hard-coded to
keep this port open.  See big 134208.  The solution here appears to be that a
package should be able to request a certain port to be opened for it via its
%post scriptlet so the port is only opened if the package is installed.

If you require this fix in RHEL, you'll either need to take it through Issue
Tracker or wait for a fix in RHEL5.  I'll work on fixing this for Rawhide.
Comment 3 Josh Bressers 2006-09-21 18:54:19 UTC 
I'm removing the Security keyword from this bug.  This issue has the potential
to have a security impact, but is not a security vulnerability by itself.
Comment 4 Thomas Woerner 2007-11-06 13:52:31 UTC 
I am sorry, but I can not change this, because it would be a behavior change.
RHEL-4 and RHEL-5 are using howl/avahi/Zeroconf per default and the port is
open. If you are disabling howl/avahi, then the open port should be no problem
for you.

Closing as CANTFIX.