+++ This bug was initially created as a clone of Bug #181397 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20060202
Fedora/1.0.7-1.2.fc4 Firefox/1.0.7

Description of problem:
New clean install of FC4, all updates applied via yum.  Found iptables had a
number of ports left open as follows:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Ports 5353 and 631 as well as protocols 50 and 51 were allowed through the
firewall.  This was not expected.

Port 5353 appears to be either part of zeroconf or multicast DNS or Apple iTunes
services.  

Port 631 deals with network printing ipp or the cups configuration interface. 
CUPS can be configured from the local console without having this port open to
the network.

Protocols 50 and 51 deal with VPN services.

All of these ports should by default be blocked by iptables until the user
configures or enables those services.  

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Clean install of FC4
2. yum update 
3. iptables --list or service iptables status

  

Actual Results:  Certain ports/protocols were allowed through the firewall that
were not selected during the install.  iptables rules from the clean install
listed below:

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Expected Results:  iptables should only have those ports open to the network
that were selected during the install.

If packages selected during install apply changes to iptables rules this should
be reported to the user so they know to either examine the firewall rules or
that changes to the firewall may be needed based on package selection.

Packages being installed should never modify the firewall (or the security
level) of the system.  At the very least such packages should be identified and
the administrator should be notified during the install that changes are being
made or are needed for the package to work properly.  

Allowing packages to modify the firewall on the fly could result in compromising
the system.  Default firewall rules should be to block everything unless
specifically selected or enabled by the user.

Additional selections during install may be needed similar to ssh, ftp, http,
smtp, etc.



Additional info:

-- Additional comment from twoerner on 2006-02-14 04:32 EST --
The /etc/sysconfig/iptables file is written by system-config-securitylevel and
by the installer. The file is not initially part of the iptables package.

Assigning to system-config-securitylevel.