Question(s) default firewall in Fedora
Robert Locke
lists at ralii.com
Thu Apr 23 14:19:51 UTC 2009
On Thu, 2009-04-23 at 12:13 +0930, Tim wrote:
> On Tue, 2009-04-21 at 19:17 -0700, Antonio Olivares wrote:
<snip>
> > [root at localhost ~]# service iptables status
> > Table: filter
> > Chain INPUT (policy ACCEPT)
> > num target prot opt source destination
> > 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
> > 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
> > 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> > 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
> > 5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
<snip>
> The third rule allows all traffic, no matter what. Which contradicts
> the first rule. Something's been badly set up, here.
<snip>
Hi Tim,
I just wanted to clarify that third rule for you. Nothing has been
"badly set up". The real problem is that "service iptables status" does
not tell you the "whole" story, it's equivalent to "iptables -L".
Instead, the OP should use the command "iptables -vL". The -v turns the
output to verbose and will display a pair of additional columns, the
incoming and outgoing interface. I assume (admittedly I could be bitten
on this), since the above seems rather "default", that the missing
columns will identify that the incoming interface is set to "lo" or
loopback on that third rule. So the third rule is allowing all inbound
traffic from other "local processes", not "remote"..... It is one of
the default rules when one first Enables the firewall using the
system-config tools.
HTH,
--Rob
More information about the fedora-list
mailing list