[SATLUG] Default Red Hat firewall/daemon settings secure?

Sean Carolan scarolan at gmail.com
Fri Dec 7 09:02:13 CST 2007


Does anyone know why Red Hat and Fedora have the isdn daemon set to
start at boot time?  I generally disable this and about a dozen other
init scripts after a fresh installation.

Also, what's up with the default firewall configuration on Red Hat,
which has a rule for allowing mDNS traffic?  Maybe there are some
iTunes fans working at Red Hat who want everyone to share their music?

The helper script, system-config-securitylevel-tui, does not mention
that these ports are being left open.  The following is the default
configuration of system-config-securitylevel with only the SSH box
checked.  As you can see, mDNS, CUPS, and ipsec traffic is allowed in
by default.

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


More information about the SATLUG mailing list