Bug 76493 - Default for *high* secrity for table should be DROP
Summary: Default for *high* secrity for table should be DROP
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gnome-lokkit
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-10-22 14:15 UTC by das_deniz
Modified: 2014-03-17 02:31 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-10-22 14:24:41 UTC
Embargoed:

Attachments (Terms of Use)

Description das_deniz 2002-10-22 14:15:36 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020830

Description of problem:
this is either for rh-config-securitylevel or lokkit it's hard to know from
end-user point of view....

the default rule for table created and used for the INPUT (RH-Lokkit-0-50-INPUT)
should be DROP if high security is selected.
my output of iptables-save show's the default is ACCEPT (bad bad...)
(note my only modes to this file relate to the *nat table at the top)

# Generated by iptables-save v1.2.6a on Tue Oct 22 10:10:25 2002
*nat
:PREROUTING ACCEPT [252:45646]
:POSTROUTING ACCEPT [15:1118]
:OUTPUT ACCEPT [78:5071]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 22 10:10:25 2002
# Generated by iptables-save v1.2.6a on Tue Oct 22 10:10:25 2002
*filter
:INPUT ACCEPT [46314:59128062]
:FORWARD ACCEPT [117:23483]
:OUTPUT ACCEPT [37107:3492261]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 216.148.227.79 -p udp -m udp --sport 53 --dport 1025:
65535 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 204.127.202.19 -p udp -m udp --sport 53 --dport 1025:
65535 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACC
EPT
-A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACC
EPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --re
ject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreacha
ble
COMMIT



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. select high security when running redhat-config-securitylevel
2. examine /etc/sysconfig/iptables or output of iptables-save
3. 
	

Actual Results:  *filter
:INPUT ACCEPT


Expected Results:  *filter
:INPUT DROP

Additional info:
Comment 1 Brent Fox 2002-10-22 14:24:16 UTC 
Definately a gnome-lokkit issue.  Changing components
Comment 2 Bill Nottingham 2002-10-22 19:11:49 UTC 
Everything runs through the RH-Lokkit-0-50-INPUT filter, which has a default
reject policy at the end.
Comment 3 das_deniz 2002-10-22 22:27:43 UTC 
i guess i was going for *high* security making my box invisible and thus not
responding to ICMP - i suppose doppy users would ask why can't i ping my box so
your settings are probably good enough. thanks.
Note You need to log in before you can comment on or make changes to this bug.