Bug 181397
Summary: | clean install ports left open in iptables | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Scot Harris <scot> |
Component: | system-config-securitylevel | Assignee: | Thomas Woerner <twoerner> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | bryce1, caillon, jpazdziora, mstefani, nsoranzo, security-response-team, sundaram |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-09-10 08:59:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 177950 |
Description
Scot Harris
2006-02-13 20:09:55 UTC
The /etc/sysconfig/iptables file is written by system-config-securitylevel and by the installer. The file is not initially part of the iptables package. Assigning to system-config-securitylevel. *** Bug 186404 has been marked as a duplicate of this bug. *** *** Bug 207066 has been marked as a duplicate of this bug. *** In addiiotn: /etc/sysconfig/system-config-securitylevel should track /etc/sysconfig/iptables It is disturbing to go to the trouble of setting up the configuration, then find that the handy-dany automatic tool has opened additional services to the world. (Note that I could do without /etc/sysconfig/system-config-securitylevel completely... It seems like a less powerful version of /etc/sysconfig/iptables, but not significantly easier to understand). In addition: /etc/sysconfig/system-config-securitylevel should track /etc/sysconfig/iptables It is disturbing to go to the trouble of setting up the configuration, then find that the handy-dany automatic tool has opened additional services to the world. (Note that I could do without /etc/sysconfig/system-config-securitylevel completely... It seems like a less powerful version of /etc/sysconfig/iptables, but not significantly easier to understand). In addition: /etc/sysconfig/system-config-securitylevel should track /etc/sysconfig/iptables It is disturbing to go to the trouble of setting up the configuration, then find that the handy-dandy automatic tool has opened additional services to the world. (Note that I could do without /etc/sysconfig/system-config-securitylevel completely... It seems like a less powerful version of /etc/sysconfig/iptables, but not significantly easier to understand). *** Bug 216693 has been marked as a duplicate of this bug. *** Push this bug to Fedora Core 6. Clean install with Fedora Core 6 still has a number of ports left open in iptables. Unless the user has enabled ipsec ports 50 and 51 should not be open. In addition port 5353 appears to be for itunes. Unless the user installs itunes and wants to open their system up for sharing this should not be open. Same goes for port 631. If the user wants to enable network printing then open these up, otherwise the default should be block all ports. The only port that should have explicitly opened was ssh which is default to allow admins to remotely access a new system once it has loaded. This has been an issue since at least FC4 and possibly longer than that. Iptables file from clean install of FC6 below: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Same with /etc/sysconfig/system-config-securitylevel vs. /etc/sysconfig/iptables . Some magic opens extra ports beyond what system-config-securitylevel specifies. Consider deprecating /etc/sysconfig/system-config-securitylevel *** Bug 178107 has been marked as a duplicate of this bug. *** This has been addressed in system-config-firewall, which replaces system-config-securitylevel. There are still default ports, which are open, but now you can close them. Please have a look at system-config-firewall or lokkit. Closing "RAWHIDE". |