Sender: |
|
Date: |
Tue, 20 Feb 2007 08:55:26 -0800 |
MIME-version: |
1.0 |
Reply-To: |
|
Content-type: |
text/plain; charset=us-ascii |
Subject: |
|
From: |
|
Content-disposition: |
inline |
Comments: |
|
Parts/Attachments: |
|
|
The file /etc/sysconfig/iptables sets up the rules for firewalls.
According to the file, it is generated by the program
"system-config-securitylevel"
When I set up my laptop with the GUI, the only incoming service I
intended to open was ssh (which is configured with keys for security).
However, when I look at the iptables file I see some extra ACCEPT lines:
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
Those services are:
50 = remote mail checking protocol
51 = IMP Logical Address Maintenance
5353 = Multicast DNS (used by zeroconf)
631 = Internet Printing Protocol and Cups
The last two work with printer configuration, I don't know why the
first two are opened. I commented out the ACCEPT lines, and things
still work fine (so far). I assume this will bollix up some printer
autodiscovery features, but I don't want or need those. I am far more
worried about those ports being used for future hostile exploits.
I imagine the next time I fiddle with the GUI configuration on my SL4.4
laptop these lines will get uncommented. The silent opening of ports is
a bug, IMHO. What is the best way to fix the system-config-securitylevel
program to either ask explicitly or not turn on these ports? Should this
be considered a security flaw in SL4.4 ?
Keith
PS: In related behavior, the cups server on my laptop used to
broadcast its printers. I turned that off with "BrowseInterval 0" in
/etc/cups/cupsd.conf. I want cups to service only internal requests,
and do not need to broadcast availability to the world. Zeroconf
printing is a wonderful thing sometimes, but not on roaming laptops!
--
Keith Lofstrom [log in to unmask] Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
|
|
|