Bug 76493 - Default for *high* secrity for table should be DROP
Default for *high* secrity for table should be DROP
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: gnome-lokkit (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-22 10:15 EDT by das_deniz
Modified: 2014-03-16 22:31 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-10-22 10:24:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description das_deniz 2002-10-22 10:15:36 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;) Gecko/20020830

Description of problem:
this is either for rh-config-securitylevel or lokkit it's hard to know from
end-user point of view....

the default rule for table created and used for the INPUT (RH-Lokkit-0-50-INPUT)
should be DROP if high security is selected.
my output of iptables-save show's the default is ACCEPT (bad bad...)
(note my only modes to this file relate to the *nat table at the top)

# Generated by iptables-save v1.2.6a on Tue Oct 22 10:10:25 2002
*nat
:PREROUTING ACCEPT [252:45646]
:POSTROUTING ACCEPT [15:1118]
:OUTPUT ACCEPT [78:5071]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Oct 22 10:10:25 2002
# Generated by iptables-save v1.2.6a on Tue Oct 22 10:10:25 2002
*filter
:INPUT ACCEPT [46314:59128062]
:FORWARD ACCEPT [117:23483]
:OUTPUT ACCEPT [37107:3492261]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --sport 123 --dport 123 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 216.148.227.79 -p udp -m udp --sport 53 --dport 1025:
65535 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -s 204.127.202.19 -p udp -m udp --sport 53 --dport 1025:
65535 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 67:68 -j ACC
EPT
-A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 67:68 -j ACC
EPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --re
ject-with icmp-port-unreachable
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreacha
ble
COMMIT



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. select high security when running redhat-config-securitylevel
2. examine /etc/sysconfig/iptables or output of iptables-save
3. 
	

Actual Results:  *filter
:INPUT ACCEPT


Expected Results:  *filter
:INPUT DROP

Additional info:
Comment 1 Brent Fox 2002-10-22 10:24:16 EDT
Definately a gnome-lokkit issue.  Changing components
Comment 2 Bill Nottingham 2002-10-22 15:11:49 EDT
Everything runs through the RH-Lokkit-0-50-INPUT filter, which has a default
reject policy at the end.
Comment 3 das_deniz 2002-10-22 18:27:43 EDT
i guess i was going for *high* security making my box invisible and thus not
responding to ICMP - i suppose doppy users would ask why can't i ping my box so
your settings are probably good enough. thanks.

Note You need to log in before you can comment on or make changes to this bug.