Bug 181397

Summary:	clean install ports left open in iptables
Product:	[Fedora] Fedora	Reporter:	Scot Harris <scot>
Component:	system-config-securitylevel	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED RAWHIDE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	rawhide	CC:	bryce1, caillon, jpazdziora, mstefani, nsoranzo, security-response-team, sundaram
Target Milestone:	---
Target Release:	---
Hardware:	i386
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2007-09-10 08:59:01 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	177950

Description Scot Harris 2006-02-13 20:09:55 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.0.7-1.2.fc4 Firefox/1.0.7

Description of problem:
New clean install of FC4, all updates applied via yum. Found iptables had a number of ports left open as follows:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Ports 5353 and 631 as well as protocols 50 and 51 were allowed through the firewall. This was not expected.

Port 5353 appears to be either part of zeroconf or multicast DNS or Apple iTunes services.

Port 631 deals with network printing ipp or the cups configuration interface. CUPS can be configured from the local console without having this port open to the network.

Protocols 50 and 51 deal with VPN services.

All of these ports should by default be blocked by iptables until the user configures or enables those services.

Version-Release number of selected component (if applicable):

How reproducible:
Always

Steps to Reproduce:
1. Clean install of FC4
2. yum update
3. iptables --list or service iptables status

Actual Results: Certain ports/protocols were allowed through the firewall that were not selected during the install. iptables rules from the clean install listed below:

Expected Results: iptables should only have those ports open to the network that were selected during the install.

If packages selected during install apply changes to iptables rules this should be reported to the user so they know to either examine the firewall rules or that changes to the firewall may be needed based on package selection.

Packages being installed should never modify the firewall (or the security level) of the system. At the very least such packages should be identified and the administrator should be notified during the install that changes are being made or are needed for the package to work properly.

Allowing packages to modify the firewall on the fly could result in compromising the system. Default firewall rules should be to block everything unless specifically selected or enabled by the user.

Additional selections during install may be needed similar to ssh, ftp, http, smtp, etc.

Additional info:

Comment 1 Thomas Woerner 2006-02-14 09:32:16 UTC

The /etc/sysconfig/iptables file is written by system-config-securitylevel and
by the installer. The file is not initially part of the iptables package.

Assigning to system-config-securitylevel.

Comment 2 Chris Lumens 2006-03-23 14:59:39 UTC

*** Bug 186404 has been marked as a duplicate of this bug. ***

Comment 3 Chris Lumens 2006-09-25 15:47:46 UTC

*** Bug 207066 has been marked as a duplicate of this bug. ***

Comment 4 Bryce Nesbitt 2006-09-25 16:10:02 UTC

In addiiotn: /etc/sysconfig/system-config-securitylevel
should track /etc/sysconfig/iptables
It is disturbing to go to the trouble of setting up the configuration, then find
that the handy-dany automatic tool has opened additional services to the world.

(Note that I could do without /etc/sysconfig/system-config-securitylevel
completely... It seems like a less powerful version of /etc/sysconfig/iptables,
but not significantly easier to understand).

Comment 5 Bryce Nesbitt 2006-09-25 16:10:27 UTC

In addition: /etc/sysconfig/system-config-securitylevel
should track /etc/sysconfig/iptables
It is disturbing to go to the trouble of setting up the configuration, then find
that the handy-dany automatic tool has opened additional services to the world.

(Note that I could do without /etc/sysconfig/system-config-securitylevel
completely... It seems like a less powerful version of /etc/sysconfig/iptables,
but not significantly easier to understand).

Comment 6 Bryce Nesbitt 2006-09-25 16:11:07 UTC

In addition: /etc/sysconfig/system-config-securitylevel
should track /etc/sysconfig/iptables
It is disturbing to go to the trouble of setting up the configuration, then find
that the handy-dandy automatic tool has opened additional services to the world.

(Note that I could do without /etc/sysconfig/system-config-securitylevel
completely... It seems like a less powerful version of /etc/sysconfig/iptables,
but not significantly easier to understand).

Comment 8 Chris Lumens 2006-11-21 15:57:50 UTC

*** Bug 216693 has been marked as a duplicate of this bug. ***

Comment 9 Scot Harris 2006-11-22 23:04:56 UTC

Push this bug to Fedora Core 6.  Clean install with Fedora Core 6 still has a
number of ports left open in iptables.  Unless the user has enabled ipsec ports
50 and 51 should not be open.  In addition port 5353 appears to be for itunes. 
Unless the user installs itunes and wants to open their system up for sharing
this should not be open.  Same goes for port 631.  If the user wants to enable
network printing then open these up, otherwise the default should be block all
ports.

The only port that should have explicitly opened was ssh which is default to
allow admins to remotely access a new system once it has loaded.

This has been an issue since at least FC4 and possibly longer than that.

Iptables file from clean install of FC6 below:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Comment 11 Bryce Nesbitt 2007-04-04 21:04:41 UTC

Same with /etc/sysconfig/system-config-securitylevel vs. /etc/sysconfig/iptables .
Some magic opens extra ports beyond what system-config-securitylevel specifies.
 Consider deprecating /etc/sysconfig/system-config-securitylevel

Comment 12 Thomas Woerner 2007-07-30 15:44:23 UTC

*** Bug 178107 has been marked as a duplicate of this bug. ***

Comment 13 Thomas Woerner 2007-09-10 08:59:01 UTC

This has been addressed in system-config-firewall, which replaces
system-config-securitylevel.

There are still default ports, which are open, but now you can close them.
Please have a look at system-config-firewall or lokkit.

Closing "RAWHIDE".