Subject: | |
From: | |
Reply To: | |
Date: | Tue, 20 Feb 2007 08:55:26 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
The file /etc/sysconfig/iptables sets up the rules for firewalls.
According to the file, it is generated by the program
"system-config-securitylevel"
When I set up my laptop with the GUI, the only incoming service I
intended to open was ssh (which is configured with keys for security).
However, when I look at the iptables file I see some extra ACCEPT lines:
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
Those services are:
50 = remote mail checking protocol
51 = IMP Logical Address Maintenance
5353 = Multicast DNS (used by zeroconf)
631 = Internet Printing Protocol and Cups
The last two work with printer configuration, I don't know why the
first two are opened. I commented out the ACCEPT lines, and things
still work fine (so far). I assume this will bollix up some printer
autodiscovery features, but I don't want or need those. I am far more
worried about those ports being used for future hostile exploits.
I imagine the next time I fiddle with the GUI configuration on my SL4.4
laptop these lines will get uncommented. The silent opening of ports is
a bug, IMHO. What is the best way to fix the system-config-securitylevel
program to either ask explicitly or not turn on these ports? Should this
be considered a security flaw in SL4.4 ?
Keith
PS: In related behavior, the cups server on my laptop used to
broadcast its printers. I turned that off with "BrowseInterval 0" in
/etc/cups/cupsd.conf. I want cups to service only internal requests,
and do not need to broadcast availability to the world. Zeroconf
printing is a wonderful thing sometimes, but not on roaming laptops!
--
Keith Lofstrom [log in to unmask] Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
|
|
|