From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020830 Description of problem: this is either for rh-config-securitylevel or lokkit it's hard to know from end-user point of view.... the default rule for table created and used for the INPUT (RH-Lokkit-0-50-INPUT) should be DROP if high security is selected. my output of iptables-save show's the default is ACCEPT (bad bad...) (note my only modes to this file relate to the *nat table at the top) # Generated by iptables-save v1.2.6a on Tue Oct 22 10:10:25 2002 *nat :PREROUTING ACCEPT [252:45646] :POSTROUTING ACCEPT [15:1118] :OUTPUT ACCEPT [78:5071] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Oct 22 10:10:25 2002 # Generated by iptables-save v1.2.6a on Tue Oct 22 10:10:25 2002 *filter :INPUT ACCEPT [46314:59128062] :FORWARD ACCEPT [117:23483] :OUTPUT ACCEPT [37107:3492261] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT -A RH-Lokkit-0-50-INPUT -s 216.148.227.79 -p udp -m udp --sport 53 --dport 1025: 65535 -j ACCEPT -A RH-Lokkit-0-50-INPUT -s 204.127.202.19 -p udp -m udp --sport 53 --dport 1025: 65535 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACC EPT -A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACC EPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --re ject-with icmp-port-unreachable -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreacha ble COMMIT Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. select high security when running redhat-config-securitylevel 2. examine /etc/sysconfig/iptables or output of iptables-save 3. Actual Results: *filter :INPUT ACCEPT Expected Results: *filter :INPUT DROP Additional info:
Definately a gnome-lokkit issue. Changing components
Everything runs through the RH-Lokkit-0-50-INPUT filter, which has a default reject policy at the end.
i guess i was going for *high* security making my box invisible and thus not responding to ICMP - i suppose doppy users would ask why can't i ping my box so your settings are probably good enough. thanks.