 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Tue, 20 Feb 2007 18:36:54 +0000 |
| Content-Type: | TEXT/PLAIN |
| Parts/Attachments: |
|
|
On Tue, 20 Feb 2007, Keith Lofstrom wrote:
> The file /etc/sysconfig/iptables sets up the rules for firewalls.
> According to the file, it is generated by the program
> "system-config-securitylevel"
>
> When I set up my laptop with the GUI, the only incoming service I
> intended to open was ssh (which is configured with keys for security).
> However, when I look at the iptables file I see some extra ACCEPT lines:
>
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
>
> Those services are:
> 50 = remote mail checking protocol
> 51 = IMP Logical Address Maintenance
That was -p 50/51 not a udp/tcp port number. Look in /etc/protocols for a
list of protocol numbers.
ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6
ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6
Of course you may not care about ipv6 -- we don't :-)
> 5353 = Multicast DNS (used by zeroconf)
> 631 = Internet Printing Protocol and Cups
>
> The last two work with printer configuration, I don't know why the
> first two are opened. I commented out the ACCEPT lines, and things
> still work fine (so far). I assume this will bollix up some printer
> autodiscovery features, but I don't want or need those. I am far more
> worried about those ports being used for future hostile exploits.
>
> I imagine the next time I fiddle with the GUI configuration on my SL4.4
> laptop these lines will get uncommented. The silent opening of ports is
> a bug, IMHO. What is the best way to fix the system-config-securitylevel
> program to either ask explicitly or not turn on these ports? Should this
> be considered a security flaw in SL4.4 ?
Is there an option to do anything for ipv6, like disable it? I personally
would just uninstall (or disable if it can't be removed) the GUI tool, but
then I'm a bit of a dinosaur...
> Keith
>
> PS: In related behavior, the cups server on my laptop used to
> broadcast its printers. I turned that off with "BrowseInterval 0" in
> /etc/cups/cupsd.conf. I want cups to service only internal requests,
> and do not need to broadcast availability to the world. Zeroconf
> printing is a wonderful thing sometimes, but not on roaming laptops!
You may want to only accept ipp from the local system then, so the
firewall rules could be tightened up somewhat. On the other hand you
might still want to see printer browse adverts from other machines...
Mind you if the config is just what you showed then ipp/tcp wouldn't be
allowed at all... :-)
In general most GUI interfaces to firewall configs seem to do a fairly
poor job. Of course it is very difficult to present possible iptables
configurations in any kind of good way, it is a bit like having a GUI for
writing a shell script... :-(
-- Jon
|
|
|
