[SATLUG] Default Red Hat firewall/daemon settings secure?

Jeremy Mann jeremymann at gmail.com
Fri Dec 7 10:40:42 CST 2007


mDNS as well as Avahi are new daemons that auto config most networks
now. For instance, with Avahi you can browse VNC servers, printers,
etc.. Its the Linux version of "Rendezvous" from Apple. We use mDNS
with the Access Grid to autoconfigure which Unicast bridge is closest.

On Dec 7, 2007 9:02 AM, Sean Carolan <scarolan at gmail.com> wrote:
> Does anyone know why Red Hat and Fedora have the isdn daemon set to
> start at boot time?  I generally disable this and about a dozen other
> init scripts after a fresh installation.
>
> Also, what's up with the default firewall configuration on Red Hat,
> which has a rule for allowing mDNS traffic?  Maybe there are some
> iTunes fans working at Red Hat who want everyone to share their music?
>
> The helper script, system-config-securitylevel-tui, does not mention
> that these ports are being left open.  The following is the default
> configuration of system-config-securitylevel with only the SSH box
> checked.  As you can see, mDNS, CUPS, and ipsec traffic is allowed in
> by default.
>
> # Firewall configuration written by system-config-securitylevel
> # Manual customization of this file is not recommended.
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p 50 -j ACCEPT
> -A RH-Firewall-1-INPUT -p 51 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> --
> _______________________________________________
> SATLUG mailing list
> SATLUG at satlug.org
> http://alamo.satlug.org/mailman/listinfo/satlug to unsubscribe
> Powered by Rackspace (www.rackspace.com)
>



-- 
Jeremy Mann
jeremy at biochem.uthscsa.edu

University of Texas Health Science Center
Bioinformatics Core Facility
http://www.bioinformatics.uthscsa.edu
Phone: (210) 567-2672


More information about the SATLUG mailing list