Red Hat Bugzilla – Bug 462603
Tighten firewall rules
Last modified: 2009-06-08 09:12:33 EDT
The current firewall rules for the HPC Solution have the following catch-all rules in the INPUT part: for dev in private_nics: filter += '-A FORWARD -i %s ' % dev + \ '-o %s -m state ' % public + \ '--state RELATED,ESTABLISHED -j ACCEPT\n' filter += '-A FORWARD -i %s -j ACCEPT\n' % dev filter += '-A INPUT -i %s -j ACCEPT\n' % dev filter += '-A INPUT -i lo -j ACCEPT\n' filter += '-A INPUT -p icmp --icmp-type any -j ACCEPT\n' filter += '-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n' filter += '-A INPUT -i %s -p tcp --dport 0:1024 -j REJECT\n' % public filter += '-A INPUT -i %s -p udp --dport 0:1024 -j REJECT\n' % public That leaves ports higher than 1024 available for remote connections from public networks. We think that that is dangerous and we would prefer the last two to be consolidated into one much stricter rule: filter += '-A INPUT -i %s -j REJECT\n' % public Also there would be need for additional rules to open the public ports used by ntop, cacti, or nagios, etc.
The code has been changed to replace the last 2 reject rules with the alternate i.e. - filter += '-A INPUT -i %s -p tcp --dport 0:1024 -j REJECT\n' % public - filter += '-A INPUT -i %s -p udp --dport 0:1024 -j REJECT\n' % public + filter += '-A INPUT -i %s -j REJECT\n' % public The solution will be available in kusu-base-installer 5.1-28 or better
Fix has passed QA