From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Description of problem: The output of 'iptables -L -v' includes this line: 0 0 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:5353 This is enabled by default despite the absence of the howl package (this is RHEL 4 Workstation). Best practice security recommendation is to close any unused ports; if I'm not using Zeroconf (howl) in my network, this port should not be opened on my firewall by default. Version-Release number of selected component (if applicable): iptables-1.2.11-3.1.RHEL4 How reproducible: Always Steps to Reproduce: 1. Boot the system 2. Verify the absence of howl (rpm -qa | grep howl) 3. Verify the open port with 'iptables -L -v' Actual Results: As described in the 'Description' field above Expected Results: The iptables output should not include this open port Additional info:
Assigning to anaconda.
This is because lokkit (the program that comes with s-c-securitylevel responsible for writing out all the iptables-related files) has hard-coded to keep this port open. See big 134208. The solution here appears to be that a package should be able to request a certain port to be opened for it via its %post scriptlet so the port is only opened if the package is installed. If you require this fix in RHEL, you'll either need to take it through Issue Tracker or wait for a fix in RHEL5. I'll work on fixing this for Rawhide.
I'm removing the Security keyword from this bug. This issue has the potential to have a security impact, but is not a security vulnerability by itself.
I am sorry, but I can not change this, because it would be a behavior change. RHEL-4 and RHEL-5 are using howl/avahi/Zeroconf per default and the port is open. If you are disabling howl/avahi, then the open port should be no problem for you. Closing as CANTFIX.