Bug 186404 - clean install ports left open in iptables
clean install ports left open in iptables
Status: CLOSED DUPLICATE of bug 181397
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Chris Lumens
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-23 07:31 EST by Rahul Sundaram
Modified: 2013-03-13 01:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-23 09:59:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rahul Sundaram 2006-03-23 07:31:22 EST
+++ This bug was initially created as a clone of Bug #181397 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202
Fedora/1.0.7-1.2.fc4 Firefox/1.0.7

Description of problem:
New clean install of FC4, all updates applied via yum.  Found iptables had a
number of ports left open as follows:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Ports 5353 and 631 as well as protocols 50 and 51 were allowed through the
firewall.  This was not expected.

Port 5353 appears to be either part of zeroconf or multicast DNS or Apple iTunes
services.  

Port 631 deals with network printing ipp or the cups configuration interface. 
CUPS can be configured from the local console without having this port open to
the network.

Protocols 50 and 51 deal with VPN services.

All of these ports should by default be blocked by iptables until the user
configures or enables those services.  

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Clean install of FC4
2. yum update 
3. iptables --list or service iptables status

  

Actual Results:  Certain ports/protocols were allowed through the firewall that
were not selected during the install.  iptables rules from the clean install
listed below:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Expected Results:  iptables should only have those ports open to the network
that were selected during the install.

If packages selected during install apply changes to iptables rules this should
be reported to the user so they know to either examine the firewall rules or
that changes to the firewall may be needed based on package selection.

Packages being installed should never modify the firewall (or the security
level) of the system.  At the very least such packages should be identified and
the administrator should be notified during the install that changes are being
made or are needed for the package to work properly.  

Allowing packages to modify the firewall on the fly could result in compromising
the system.  Default firewall rules should be to block everything unless
specifically selected or enabled by the user.

Additional selections during install may be needed similar to ssh, ftp, http,
smtp, etc.



Additional info:

-- Additional comment from twoerner@redhat.com on 2006-02-14 04:32 EST --
The /etc/sysconfig/iptables file is written by system-config-securitylevel and
by the installer. The file is not initially part of the iptables package.

Assigning to system-config-securitylevel.
Comment 1 Chris Lumens 2006-03-23 09:59:26 EST

*** This bug has been marked as a duplicate of 181397 ***

Note You need to log in before you can comment on or make changes to this bug.