Red Hat Bugzilla – Bug 128120
Firewall 'enabled' but all iptables chains default to ACCEPT
Last modified: 2007-11-30 17:10:46 EST
Description of problem: FC3 Test 1, fresh install. Selected 'enabled' for firewall settings during install, with no exceptions. /etc/sysconfig/iptables and system-config-securitylevel show that default rules for all chains is ACCEPT. Version-Release number of selected component (if applicable): 1.3.13-3 Additional info: selinux was also selected as 'enabled' during install.
OK, it appears this is the same as all Fedora versions since FC1. It appears the default is a firewall that rejects anything under port 1024 and a few other things like X11, nfs and xfs. So perhaps it isn't really a concern, but it is unexpected. Maybe putting a description of the pitfalls of such a setup in the installer would be helpful. What would be the downside of a conntrack type firewall instead?
Heh, well sorry, but I've been looking at about three different boxes, one of which was upgraded. I see now the default since FC1 *is* a conntrack-type firewall, but the /etc/sysconfig/iptables file is not overwritten during upgrades, which caused my confusion. I also see that any request not handled by the rules is REJECTed, so the default settings are never used.