Why are these ports open in iptables on new FC4 install?

[Scot L. Harris]

On Tue, 2006-02-14 at 07:28 +1030, Tim wrote:

> I don't have a default set-up machine to look at, but surely this
> shouldn't be open to all, just the LAN.  What is the default setting in
> that regard?
> 

Below are the rules that were in iptables after a clean install with a
full yum update.

While I don't believe having protocols 50,51 and udp ports 5353 and 631
open pose an immediate security threat I think it is bad practice for
these to be open without being selected by the user or notifying the
user that these are open.  I am also not sure but I suspect that
specific rpm packages installed may have added these in.  IMHO no rpm
package should automagically change a systems firewall settings.  Any
firewall settings should be done when the admin configures or enables
the service.  And the admin should know these changes are being made.


-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited