Bug 128120 - Firewall 'enabled' but all iptables chains default to ACCEPT
Firewall 'enabled' but all iptables chains default to ACCEPT
Product: Fedora
Classification: Fedora
Component: redhat-config-securitylevel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Brent Fox
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-07-18 15:08 EDT by Ben Smith
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-07-30 23:05:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ben Smith 2004-07-18 15:08:05 EDT
Description of problem: 
FC3 Test 1, fresh install.  Selected 'enabled' for firewall settings 
during install, with no exceptions.  /etc/sysconfig/iptables and 
system-config-securitylevel show that default rules for all chains 
Version-Release number of selected component (if applicable): 
Additional info: 
selinux was also selected as 'enabled' during install.
Comment 1 Ben Smith 2004-07-26 23:23:51 EDT
OK, it appears this is the same as all Fedora versions since FC1.  
It appears the default is a firewall that rejects anything under 
port 1024 and a few other things like X11, nfs and xfs.   
So perhaps it isn't really a concern, but it is unexpected.  Maybe 
putting a description of the pitfalls of such a setup in the 
installer would be helpful. 
What would be the downside of a conntrack type firewall instead? 
Comment 2 Ben Smith 2004-07-28 03:18:58 EDT
Heh, well sorry, but I've been looking at about three different boxes,
one of which was upgraded.  I see now the default since FC1 *is* a
conntrack-type firewall, but the /etc/sysconfig/iptables file is not
overwritten during upgrades, which caused my confusion.  I also see
that any request not handled by the rules is REJECTed, so the default
settings are never used.

Note You need to log in before you can comment on or make changes to this bug.