Bug 1182654 - [RFE] Firewall INPUT, FORWARD should be DROP by default.
Summary: [RFE] Firewall INPUT, FORWARD should be DROP by default.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.4.0
Assignee: Joe Rafaniello
QA Contact: Pete Savage
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-01-15 16:15 UTC by Jared Deubel
Modified: 2019-07-11 08:32 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This version of the CloudForms Management Engine appliance changes the default INPUT and FORWARD firewall rule chains to DROP. This enhancement complies with government security requirements.
Clone Of:
Environment:
Last Closed: 2015-06-16 12:47:45 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1100 0 normal SHIPPED_LIVE CFME 5.4.0 bug fixes, and enhancement update 2015-06-16 16:28:42 UTC

Comment 2 Pete Savage 2015-02-05 17:13:49 UTC 
In 5.3.3.0.1.20150127115148_446974b, the default is still ACCEPT
Comment 3 Keenan Brock 2015-02-19 22:52:06 UTC 
Can we make this optional?
Drop all is good for security, but is very difficult for getting it up and running. And very difficult to diagnose problems
Comment 9 Dave Johnson 2015-03-20 03:58:45 UTC 
Pete, can you take a stab at this and see what happens.  Thanks.
Comment 13 CFME Bot 2015-04-14 20:57:14 UTC 
New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/999d2ae0743ece4d1bbb6bc1d465fbf21e8097b8

commit 999d2ae0743ece4d1bbb6bc1d465fbf21e8097b8
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Fri Apr 10 21:41:08 2015 -0400
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Fri Apr 10 21:44:42 2015 -0400

    Drop INPUT/FORWARD packets not whitelisted in the firewall setup
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1182654
    
    **Before** (cf9f8924d685)
    We accepted all INPUT packets.  We allowed icmp, loopback and whitelisted
    ports we use.  Any other INPUT ports were logged and dropped.
    
    We accepted all FORWARD packets.
    
    **After this commit**
    We drop all INPUT packets by default excluding icmp, loopback,
    and whitelisted ports we use.
    
    We drop all FORWARD packets.
    
    OUTPUT packets have NOT been changed, we accept them.
    [skip ci]

 build/kickstarts/base.ks.erb | 8 ++++++++
 1 file changed, 8 insertions(+)
Comment 14 Joe Rafaniello 2015-04-15 13:32:30 UTC 
We moved to building the firewall rules in https://github.com/ManageIQ/manageiq/pull/2562 for https://bugzilla.redhat.com/show_bug.cgi?id=1173216.

In https://github.com/ManageIQ/manageiq/pull/2592, we drop INPUT/FORWARD packets by default in kickstart setup of the firewall.  See that PR for more information.
Comment 16 Joe Rafaniello 2015-04-27 20:40:49 UTC 
I'm renaming the bug because we can't easily change OUTPUT to drop by default without greatly decreasing usability.  This bug will only change INPUT, FORWARD to drop by default.
Comment 18 Pete Savage 2015-06-02 21:33:31 UTC 
This is confirmed in 5.4.0.4

INPUT and FORWARD are DROP by default.
Comment 20 errata-xmlrpc 2015-06-16 12:47:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1100.html
Note You need to log in before you can comment on or make changes to this bug.