From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 Description of problem: I used redhat-config-securitylevel to initally setup iptables. When selecting to trust the loopback or the eth0 interface each time it permits all from anywhere. This is a problem since that X (tcp 6000) is than exposed. Editing iptables in sysconfig has the same results so this doesn't seem like a bug just with redhat-config-securitylevel. Here's sysconfig/iptables and the results of iptables -L. If I remove loop back than the permit all anywhere anywhere goes away. IP addresses are sanitized root@redrock sysconfig]# cat iptables # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT #-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.1 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.2 --sport 53 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.1 --sport 123 -d 0/0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT COMMIT [root@redrock sysconfig]# /sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Lokkit-0-50-INPUT (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp spt:ntp dpt:ntp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere ACCEPT udp -- somehost.gov anywhere udp spt:domain ACCEPT udp -- somehost.gov anywhere udp spt:domain ACCEPT udp -- somehost.gov anywhere udp spt:ntp REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.edit sysconfig 2. comment out or uncomment lo or eth0 3. test if tcp 6000 is exposed Actual Results: Connectivity is exposed to 6000 or if lo and eth0 are removed than no connectivity. Expected Results: Entering in lo shoud only permit lo to lo. Additional info:
How are you testing that it is exposed? Simply with iptables -L?
Ran a couple of different scans agains the box. The easiest was to just telnet to port 6000 and sure enough it accepted the connection
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Red Hat apologizes that these issues have not been resolved yet. We do want to make sure that no important bugs slip through the cracks. Please check if this issue is still present in a current Fedora Core release. If so, please change the product and version to match, and check the box indicating that the requested information has been provided. Note that any bug still open against Red Hat Linux on will be closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still running Red Hat Linux, you are strongly advised to upgrade to a current Fedora Core release or Red Hat Enterprise Linux or comparable. Some information on which option may be right for you is available at http://www.redhat.com/rhel/migrate/redhatlinux/. Closing as CANTFIX.