Bug 181397 - clean install ports left open in iptables
clean install ports left open in iptables
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
:
: 178107 186404 207066 216693 (view as bug list)
Depends On:
Blocks: 177950
  Show dependency treegraph
 
Reported: 2006-02-13 15:09 EST by Scot Harris
Modified: 2007-11-30 17:11 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-10 04:59:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Scot Harris 2006-02-13 15:09:55 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.0.7-1.2.fc4 Firefox/1.0.7

Description of problem:
New clean install of FC4, all updates applied via yum.  Found iptables had a number of ports left open as follows:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Ports 5353 and 631 as well as protocols 50 and 51 were allowed through the firewall.  This was not expected.

Port 5353 appears to be either part of zeroconf or multicast DNS or Apple iTunes services.  

Port 631 deals with network printing ipp or the cups configuration interface.  CUPS can be configured from the local console without having this port open to the network.

Protocols 50 and 51 deal with VPN services.

All of these ports should by default be blocked by iptables until the user configures or enables those services.  

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Clean install of FC4
2. yum update 
3. iptables --list or service iptables status

  

Actual Results:  Certain ports/protocols were allowed through the firewall that were not selected during the install.  iptables rules from the clean install listed below:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Expected Results:  iptables should only have those ports open to the network that were selected during the install.

If packages selected during install apply changes to iptables rules this should be reported to the user so they know to either examine the firewall rules or that changes to the firewall may be needed based on package selection.

Packages being installed should never modify the firewall (or the security level) of the system.  At the very least such packages should be identified and the administrator should be notified during the install that changes are being made or are needed for the package to work properly.  

Allowing packages to modify the firewall on the fly could result in compromising the system.  Default firewall rules should be to block everything unless specifically selected or enabled by the user.

Additional selections during install may be needed similar to ssh, ftp, http, smtp, etc.



Additional info:
Comment 1 Thomas Woerner 2006-02-14 04:32:16 EST
The /etc/sysconfig/iptables file is written by system-config-securitylevel and
by the installer. The file is not initially part of the iptables package.

Assigning to system-config-securitylevel.
Comment 2 Chris Lumens 2006-03-23 09:59:39 EST
*** Bug 186404 has been marked as a duplicate of this bug. ***
Comment 3 Chris Lumens 2006-09-25 11:47:46 EDT
*** Bug 207066 has been marked as a duplicate of this bug. ***
Comment 4 Bryce Nesbitt 2006-09-25 12:10:02 EDT
In addiiotn: /etc/sysconfig/system-config-securitylevel
should track /etc/sysconfig/iptables
It is disturbing to go to the trouble of setting up the configuration, then find
that the handy-dany automatic tool has opened additional services to the world.

(Note that I could do without /etc/sysconfig/system-config-securitylevel
completely... It seems like a less powerful version of /etc/sysconfig/iptables,
but not significantly easier to understand).
Comment 5 Bryce Nesbitt 2006-09-25 12:10:27 EDT
In addition: /etc/sysconfig/system-config-securitylevel
should track /etc/sysconfig/iptables
It is disturbing to go to the trouble of setting up the configuration, then find
that the handy-dany automatic tool has opened additional services to the world.

(Note that I could do without /etc/sysconfig/system-config-securitylevel
completely... It seems like a less powerful version of /etc/sysconfig/iptables,
but not significantly easier to understand).
Comment 6 Bryce Nesbitt 2006-09-25 12:11:07 EDT
In addition: /etc/sysconfig/system-config-securitylevel
should track /etc/sysconfig/iptables
It is disturbing to go to the trouble of setting up the configuration, then find
that the handy-dandy automatic tool has opened additional services to the world.

(Note that I could do without /etc/sysconfig/system-config-securitylevel
completely... It seems like a less powerful version of /etc/sysconfig/iptables,
but not significantly easier to understand).
Comment 8 Chris Lumens 2006-11-21 10:57:50 EST
*** Bug 216693 has been marked as a duplicate of this bug. ***
Comment 9 Scot Harris 2006-11-22 18:04:56 EST
Push this bug to Fedora Core 6.  Clean install with Fedora Core 6 still has a
number of ports left open in iptables.  Unless the user has enabled ipsec ports
50 and 51 should not be open.  In addition port 5353 appears to be for itunes. 
Unless the user installs itunes and wants to open their system up for sharing
this should not be open.  Same goes for port 631.  If the user wants to enable
network printing then open these up, otherwise the default should be block all
ports.

The only port that should have explicitly opened was ssh which is default to
allow admins to remotely access a new system once it has loaded.

This has been an issue since at least FC4 and possibly longer than that.

Iptables file from clean install of FC6 below:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
Comment 11 Bryce Nesbitt 2007-04-04 17:04:41 EDT
Same with /etc/sysconfig/system-config-securitylevel vs. /etc/sysconfig/iptables .
Some magic opens extra ports beyond what system-config-securitylevel specifies.
 Consider deprecating /etc/sysconfig/system-config-securitylevel
Comment 12 Thomas Woerner 2007-07-30 11:44:23 EDT
*** Bug 178107 has been marked as a duplicate of this bug. ***
Comment 13 Thomas Woerner 2007-09-10 04:59:01 EDT
This has been addressed in system-config-firewall, which replaces
system-config-securitylevel.

There are still default ports, which are open, but now you can close them.
Please have a look at system-config-firewall or lokkit.

Closing "RAWHIDE".

Note You need to log in before you can comment on or make changes to this bug.