From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202 Fedora/1.0.7-1.2.fc4 Firefox/1.0.7 Description of problem: New clean install of FC4, all updates applied via yum. Found iptables had a number of ports left open as follows: -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Ports 5353 and 631 as well as protocols 50 and 51 were allowed through the firewall. This was not expected. Port 5353 appears to be either part of zeroconf or multicast DNS or Apple iTunes services. Port 631 deals with network printing ipp or the cups configuration interface. CUPS can be configured from the local console without having this port open to the network. Protocols 50 and 51 deal with VPN services. All of these ports should by default be blocked by iptables until the user configures or enables those services. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Clean install of FC4 2. yum update 3. iptables --list or service iptables status Actual Results: Certain ports/protocols were allowed through the firewall that were not selected during the install. iptables rules from the clean install listed below: -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited Expected Results: iptables should only have those ports open to the network that were selected during the install. If packages selected during install apply changes to iptables rules this should be reported to the user so they know to either examine the firewall rules or that changes to the firewall may be needed based on package selection. Packages being installed should never modify the firewall (or the security level) of the system. At the very least such packages should be identified and the administrator should be notified during the install that changes are being made or are needed for the package to work properly. Allowing packages to modify the firewall on the fly could result in compromising the system. Default firewall rules should be to block everything unless specifically selected or enabled by the user. Additional selections during install may be needed similar to ssh, ftp, http, smtp, etc. Additional info:
The /etc/sysconfig/iptables file is written by system-config-securitylevel and by the installer. The file is not initially part of the iptables package. Assigning to system-config-securitylevel.
*** Bug 186404 has been marked as a duplicate of this bug. ***
*** Bug 207066 has been marked as a duplicate of this bug. ***
In addiiotn: /etc/sysconfig/system-config-securitylevel should track /etc/sysconfig/iptables It is disturbing to go to the trouble of setting up the configuration, then find that the handy-dany automatic tool has opened additional services to the world. (Note that I could do without /etc/sysconfig/system-config-securitylevel completely... It seems like a less powerful version of /etc/sysconfig/iptables, but not significantly easier to understand).
In addition: /etc/sysconfig/system-config-securitylevel should track /etc/sysconfig/iptables It is disturbing to go to the trouble of setting up the configuration, then find that the handy-dany automatic tool has opened additional services to the world. (Note that I could do without /etc/sysconfig/system-config-securitylevel completely... It seems like a less powerful version of /etc/sysconfig/iptables, but not significantly easier to understand).
In addition: /etc/sysconfig/system-config-securitylevel should track /etc/sysconfig/iptables It is disturbing to go to the trouble of setting up the configuration, then find that the handy-dandy automatic tool has opened additional services to the world. (Note that I could do without /etc/sysconfig/system-config-securitylevel completely... It seems like a less powerful version of /etc/sysconfig/iptables, but not significantly easier to understand).
*** Bug 216693 has been marked as a duplicate of this bug. ***
Push this bug to Fedora Core 6. Clean install with Fedora Core 6 still has a number of ports left open in iptables. Unless the user has enabled ipsec ports 50 and 51 should not be open. In addition port 5353 appears to be for itunes. Unless the user installs itunes and wants to open their system up for sharing this should not be open. Same goes for port 631. If the user wants to enable network printing then open these up, otherwise the default should be block all ports. The only port that should have explicitly opened was ssh which is default to allow admins to remotely access a new system once it has loaded. This has been an issue since at least FC4 and possibly longer than that. Iptables file from clean install of FC6 below: # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Same with /etc/sysconfig/system-config-securitylevel vs. /etc/sysconfig/iptables . Some magic opens extra ports beyond what system-config-securitylevel specifies. Consider deprecating /etc/sysconfig/system-config-securitylevel
*** Bug 178107 has been marked as a duplicate of this bug. ***
This has been addressed in system-config-firewall, which replaces system-config-securitylevel. There are still default ports, which are open, but now you can close them. Please have a look at system-config-firewall or lokkit. Closing "RAWHIDE".