Bug 84269

Summary: redhat-config-securitylevel doesn't configure loopback correctly
Product: [Retired] Red Hat Linux Reporter: Wes Kaufmann <wes>
Component: gnome-lokkitAssignee: Christopher Aillon <caillon>
Status: CLOSED CANTFIX QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-18 16:30:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wes Kaufmann 2003-02-13 20:52:31 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
I used redhat-config-securitylevel to initally setup iptables.  When selecting
to trust the loopback or the eth0 interface each time it permits all from
anywhere. This is a problem since that X (tcp 6000) is than exposed. 

Editing iptables in sysconfig has the same results so this doesn't seem like a
bug just with redhat-config-securitylevel.  Here's sysconfig/iptables and the
results of iptables -L.  If I remove loop back than the permit all anywhere
anywhere goes away.

IP addresses are sanitized

root@redrock sysconfig]# cat iptables
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
#-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.2 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.1 --sport 123 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

[root@redrock sysconfig]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp spt:ntp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
flags:SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  somehost.gov  anywhere           udp spt:domain
ACCEPT     udp  --  somehost.gov   anywhere           udp spt:domain
ACCEPT     udp  --  somehost.gov  anywhere           udp spt:ntp
REJECT     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp reject-with
icmp-port-unreachable


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.edit sysconfig
2. comment out or uncomment lo or eth0
3. test if tcp 6000 is exposed
    

Actual Results:  Connectivity is exposed to 6000 or if lo and eth0 are removed
than no connectivity.

Expected Results:  Entering in lo shoud only permit lo to lo.

Additional info:
Comment 1 Bill Nottingham 2003-02-13 21:16:41 UTC 
How are you testing that it is exposed? Simply with iptables -L?
Comment 2 Wes Kaufmann 2003-02-14 02:03:13 UTC 
Ran a couple of different scans agains the box.  The easiest was to just telnet 
to port 6000 and sure enough it accepted the connection
Comment 3 Bill Nottingham 2006-08-07 19:06:33 UTC 
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 4 Bill Nottingham 2006-10-18 16:30:58 UTC 
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.