[CentOS] Sendmail, localloop, and iptables -- should I be more paranoid?

Robert Moskowitz rgm at htt-consult.com
Mon Nov 22 11:06:58 EST 2010


On 11/22/2010 10:43 AM, Les Mikesell wrote:
> On 11/22/2010 9:11 AM, Robert Moskowitz wrote:
>    
>> By default, sendmail only listens on the localloop:
>>
>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>
>> But by default to allow sendmail to even work the iptables entry is:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> ACCEPT
>>
>> Without this, sendmail can't even connect to localloop.  But should I
>> handedit this line to something like:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>> --dport 25 -j ACCEPT
>>
>> And once you handedit iptables, you can't use the gnome firewall applet,
>> I suspect...
>>      
> Every security decision has its own tradeoffs, so first you need to
> consider what you are trying to protect against.  If you don't have a
> program listening on a port, it doesn't matter whether it is explicitly
> firewalled or not.  A program needs root access to listen on ports below
> 1024 - and anyone with root access can change the iptables settings too...

Ah, there is the combination I missed.  I was concerned about sendmail 
doing what I thought it was suppose to do:  only listen on loopback.  If 
something could change that behaviour, it could also change any iptables 
settings.

I have 25 blocked on the firewall anyway.  But just looking at the i(s) 
and t(s). (while trying not to stuff more angels on the pinhead or some 
such metaphor).




More information about the CentOS mailing list