[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FC5 iptables issue



On Thu, 2006-03-23 at 20:36 +0800, John Summerfield wrote:
> Scot L. Harris wrote:
> > A while back I noted some unexpected entries being allowed through
> > iptables in FC4 on a clean install.  I filed a bug report on this
> > #181397.
> > 
> > It appears that FC5 still has similar issues.
> > 
> > 3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0
> > 4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0
> > 5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp
> > dpt:5353
> > 6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp
> > dpt:631
> > 7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
> > dpt:631
> > 
> > 
> > I don't see any reason that  want to allow UDP traffic to port 5353.
> > And I don't believe I want to allow traffic to port 631, no reason for
> > anyone to be accessing the cups configuration from the network.
> > 
> > This was a clean install of FC5. 
> > 
> > 
> I think I've answered this before, and I don't think you will win this one.
> 

I raised the issue a while back on FC4.  Was hoping this would be
resolved when FC5 came out.

> UDP 5353 is used by Apples to discover services. Read up on zeroconf. If 
> you are not running software to listen to port 5353, there is no great 
> advantage to you in blocking it with your firewall. OTOH a user who does 
> have something there almost certainly wants the port open.
> 

So when a user sets up a service on that port let them open that port at
that time.  Don't just open up the port because a few people might use
something there.  If that was a good practice then virtually all ports
should be opened up except what the user closes.  That is not a best
practice.

> In a similar vein, cups servers can communicate with each other by UDP 
> broadcasts to port 631. It's how my laptop automatically discovers 
> printers at home, and different printers at work. If you're printing on 
> a network, you probably want it open.
> 
> TCP port 631 is different, and unless something's changed recently, 
> there's nothing listening to any external interface on port 631. 
> Firewall rules will make absolutely no difference.
> 

udp        0      0 0.0.0.0:631                 0.0.0.0:*



I understand the issues from the last discussion.  I still feel that by
default all ports should be blocked except what the user indicates they
want to allow through.  I understand that if there is not a service
listening on the ports that are open the risk is minimized.  However,
leaving such ports open IMHO invites a hacker to use those default ports
to access malicious code that is introduced via another path.  Such a
package would not rouse any suspicion since the port is allowed through.
If it was blocked by default then nothing could use it.  Of course any
malicious code would and probably would initiate its own connection to
the outside but then you have to embed in the code the address or
addresses it is to connect to.  Having a default open port that you can
attach to is much simpler and can be used from any address. 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]