Why are these ports open in iptables on new FC4 install?

[Joel Rees]

2006-02-14 (火) の 22:23 +1030 に Tim さんは書きました:
> On Tue, 2006-02-14 at 11:28 +0900, Joel Rees wrote:
> > Reason I ask is that, as I understand it, you can't open a port to the
> > LAN while keeping it closed to the world unless you know what ranges
> > of addresses are used on the LAN. Not everyone chooses to use
> > 192.168.0.nnn for their LANs, you know.
> 
> It's doable, in a few ways.  Here's two that I can think of off the top
> of my head:
> 
> Ask the user which interfaces are LAN and WAN, then apply the rules to
> the interface, regardless of what address is used by them.

Since most machines used as workstations only have one interface, would
it be more appropriate to think about the router?

Maybe have a short script that queries the person doing the install as
to whether to open the printer port to the local network and whether to
open it beyond the local network, then set the firewall ...

... of course, you'd want to put a warning in about any zombies present
on the LAN more or less undoing the effect, but that's basically the
risk you always have to take with sharing ...

Uhm, what was the question again? Since the firewall on the router is
usually the one responsible for keeping shared LAN-side resources off
the WAN, am I talking about something you are not, perchance? If so, I
beg your pardon.

> Automatically examine the machine's own IP and netmask, define a rule
> based on them.
> 
> Apply broad rules for the main LAN IP ranges, hoping they apply.  It's a
> fair bet that the common private IP ranges won't be used over the
> internet, though some ISPs do that.
> 
> -- 
> Don't send private replies to my address, the mailbox is ignored.
> I read messages from the public lists.
>