Bug 149189 - mDNSResponder rule is on even though howl package is not installed
mDNSResponder rule is on even though howl package is not installed
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: system-config-securitylevel (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Depends On:
Blocks: 177950
  Show dependency treegraph
Reported: 2005-02-20 12:23 EST by Harry Sutton
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-06 08:52:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Harry Sutton 2005-02-20 12:23:09 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
The output of 'iptables -L -v' includes this line:

0 0 ACCEPT udp -- any any anywhere udp dpt:5353

This is enabled by default despite the absence of the howl package (this is RHEL 4 Workstation). Best practice security recommendation is to close any unused ports; if I'm not using Zeroconf (howl) in my network, this port should not be opened on my firewall by default.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Boot the system
2. Verify the absence of howl (rpm -qa | grep howl)
3. Verify the open port with 'iptables -L -v'

Actual Results:  As described in the 'Description' field above

Expected Results:  The iptables output should not include this open port

Additional info:
Comment 1 Thomas Woerner 2005-02-21 05:55:48 EST
Assigning to anaconda.
Comment 2 Chris Lumens 2005-11-01 11:11:52 EST
This is because lokkit (the program that comes with s-c-securitylevel
responsible for writing out all the iptables-related files) has hard-coded to
keep this port open.  See big 134208.  The solution here appears to be that a
package should be able to request a certain port to be opened for it via its
%post scriptlet so the port is only opened if the package is installed.

If you require this fix in RHEL, you'll either need to take it through Issue
Tracker or wait for a fix in RHEL5.  I'll work on fixing this for Rawhide.
Comment 3 Josh Bressers 2006-09-21 14:54:19 EDT
I'm removing the Security keyword from this bug.  This issue has the potential
to have a security impact, but is not a security vulnerability by itself.
Comment 4 Thomas Woerner 2007-11-06 08:52:31 EST
I am sorry, but I can not change this, because it would be a behavior change.
RHEL-4 and RHEL-5 are using howl/avahi/Zeroconf per default and the port is
open. If you are disabling howl/avahi, then the open port should be no problem
for you.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.