Red Hat Bugzilla – Bug 128120
Firewall 'enabled' but all iptables chains default to ACCEPT
Last modified: 2007-11-30 17:10:46 EST
Description of problem:
FC3 Test 1, fresh install. Selected 'enabled' for firewall settings
during install, with no exceptions. /etc/sysconfig/iptables and
system-config-securitylevel show that default rules for all chains
Version-Release number of selected component (if applicable):
selinux was also selected as 'enabled' during install.
OK, it appears this is the same as all Fedora versions since FC1.
It appears the default is a firewall that rejects anything under
port 1024 and a few other things like X11, nfs and xfs.
So perhaps it isn't really a concern, but it is unexpected. Maybe
putting a description of the pitfalls of such a setup in the
installer would be helpful.
What would be the downside of a conntrack type firewall instead?
Heh, well sorry, but I've been looking at about three different boxes,
one of which was upgraded. I see now the default since FC1 *is* a
conntrack-type firewall, but the /etc/sysconfig/iptables file is not
overwritten during upgrades, which caused my confusion. I also see
that any request not handled by the rules is REJECTed, so the default
settings are never used.