Bug 128120 - Firewall 'enabled' but all iptables chains default to ACCEPT
Summary: Firewall 'enabled' but all iptables chains default to ACCEPT
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: redhat-config-securitylevel
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Brent Fox
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-07-18 19:08 UTC by Ben Smith
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-07-31 03:05:50 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ben Smith 2004-07-18 19:08:05 UTC
Description of problem: 
FC3 Test 1, fresh install.  Selected 'enabled' for firewall settings 
during install, with no exceptions.  /etc/sysconfig/iptables and 
system-config-securitylevel show that default rules for all chains 
is ACCEPT. 
 
Version-Release number of selected component (if applicable): 
1.3.13-3 
 
Additional info: 
selinux was also selected as 'enabled' during install.

Comment 1 Ben Smith 2004-07-27 03:23:51 UTC
OK, it appears this is the same as all Fedora versions since FC1.  
It appears the default is a firewall that rejects anything under 
port 1024 and a few other things like X11, nfs and xfs.   
 
So perhaps it isn't really a concern, but it is unexpected.  Maybe 
putting a description of the pitfalls of such a setup in the 
installer would be helpful. 
 
What would be the downside of a conntrack type firewall instead? 

Comment 2 Ben Smith 2004-07-28 07:18:58 UTC
Heh, well sorry, but I've been looking at about three different boxes,
one of which was upgraded.  I see now the default since FC1 *is* a
conntrack-type firewall, but the /etc/sysconfig/iptables file is not
overwritten during upgrades, which caused my confusion.  I also see
that any request not handled by the rules is REJECTed, so the default
settings are never used.


Note You need to log in before you can comment on or make changes to this bug.