Red Hat Bugzilla – Bug 149189
mDNSResponder rule is on even though howl package is not installed
Last modified: 2007-11-30 17:07:16 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Description of problem:
The output of 'iptables -L -v' includes this line:
0 0 ACCEPT udp -- any any anywhere 220.127.116.11 udp dpt:5353
This is enabled by default despite the absence of the howl package (this is RHEL 4 Workstation). Best practice security recommendation is to close any unused ports; if I'm not using Zeroconf (howl) in my network, this port should not be opened on my firewall by default.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Boot the system
2. Verify the absence of howl (rpm -qa | grep howl)
3. Verify the open port with 'iptables -L -v'
Actual Results: As described in the 'Description' field above
Expected Results: The iptables output should not include this open port
Assigning to anaconda.
This is because lokkit (the program that comes with s-c-securitylevel
responsible for writing out all the iptables-related files) has hard-coded to
keep this port open. See big 134208. The solution here appears to be that a
package should be able to request a certain port to be opened for it via its
%post scriptlet so the port is only opened if the package is installed.
If you require this fix in RHEL, you'll either need to take it through Issue
Tracker or wait for a fix in RHEL5. I'll work on fixing this for Rawhide.
I'm removing the Security keyword from this bug. This issue has the potential
to have a security impact, but is not a security vulnerability by itself.
I am sorry, but I can not change this, because it would be a behavior change.
RHEL-4 and RHEL-5 are using howl/avahi/Zeroconf per default and the port is
open. If you are disabling howl/avahi, then the open port should be no problem
Closing as CANTFIX.