system-config-securitylevel (partially) useless?

Sjoerd Mullender sjoerd at acm.org
Tue Jun 12 20:37:57 UTC 2007 

On 06/12/2007 12:33 AM, David Timms wrote:
> Sjoerd Mullender wrote:
>> I just discovered the checkmark with file selector "Use the custom rules
>> file" in the Advanced Options tab of system-config-securitylevel (System
>> -> Administration -> Firewall and SELinux).  Is it me or is it totally
>> useless?
>>
>> The blurb says that you can add additional rules to be added after the
>> defaults.  So the rules that you add are added after the rule
>>
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>
>> which means that your extra rules are never actually used.  All input
>> packets have already been directed to the REJECT rule by the time the
>> extra rules are seen.
>>
>> Or am I missing something here?
>>
>> If it's not me but the program, I'll bugzilla this.
>>
>> This is in Fedora7 and system-config-securitylevel-1.7.0-1.fc7.
> So maybe you can iptables --list before and after you try it out, and
> tell us where the rule gets inserted ?
> 
> If it works correctly you could file a bug for the help text, if not
> file a bug about it not working and why.
> 
> DaveT.
> 

Before:
# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     0    --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
REJECT     0    --  anywhere             anywhere            reject-with
icmp-host-prohibited
#

Then I checked the box and selected the file.  Result afterward:

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Firewall-1-INPUT  0    --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     0    --  anywhere             anywhere            reject-with
icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Firewall-1-INPUT (1 references)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh
REJECT     0    --  anywhere             anywhere            reject-with
icmp-host-prohibited
ACCEPT     0    --  192.168.244.0/24     anywhere
#


Note that the reject rule is before the new entry (I added a file with a
single line
-A RH-Firewall-1-INPUT -s 192.168.244.0/255.255.255.0 -i vmnet8 -j ACCEPT
)

It may be clearer to look at the generated file /etc/sysconfig/iptables:

# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s 192.168.244.0/255.255.255.0 -i vmnet8 -j ACCEPT
COMMIT

-- 
Sjoerd Mullender

More information about the fedora-list mailing list