Hello CentOS,
I'm curious... there seems to be a couple of default firewall rules that I'm not familiar with in the CentOS 4.0
# Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Particularly, the 5353 udp allowing from 224.0.0.251 and the 631 udp. Anyone know what these are for, and if they should be disabled?
On Sun, 2005-04-10 at 20:24 -0700, Mickael Maddison wrote: {snip}
I'm curious... there seems to be a couple of default firewall rules that I'm not familiar with in the CentOS 4.0
These are also present in RHEL-4 and FC-3 from RedHat :)
{snip}
Particularly, the 5353 udp allowing from 224.0.0.251 and the 631 udp. Anyone know what these are for, and if they should be disabled?
The 5353 udp is multicast DNS (or mDNS for short) ... here are a couple links: http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt http://www.multicastdns.org/
The 631 udp port is for "Internet Printing Protocol". It is how cupsd sees external printers. Here are some details: http://mirror.centos.org/centos/4/docs/html/rhel-sag-en-4/s1-printing-sharin... ------------------------------------------- Also ... specifically from the RHEL-4 release notes:
"system-config-securitylevel
The firewall constructed by the system-config-securitylevel configuration tool now allows CUPS and Multicast DNS (mDNS) browsing. Note that, at the present time, these services cannot be disabled by system-config-securitylevel." ------------------------------------------- SO ... if the box needs to do either mDNS or CUPS printer browsing, you need them enabled. If not, you can remove them.
Thanks, Johnny Hughes
Johnny Hughes wrote:
SO ... if the box needs to do either mDNS or CUPS printer browsing, you need them enabled. If not, you can remove them.
And system-config-securitylevel is going to add them again next time it is run. IMO, the best is to remove system-config-securitylevel and do firewall configuration manually. The stuff that system-config-securitylevel is writing into /etc/sysconfig/iptables isn't exactly tight anyhow. It treats INPUT and FORWARD about the same, no per-interface controll, no source address controll (do you really want to enable ssh access from Internet?), weak controll of ICMP (why allow non-related ICMP messages?), no TCP flags checks, allows RELATED stuff without further checks... just to name few things that are a must in any half-decent Linux/Netfilter based firewall configuration...
I have been using APF (www.rfxnetworks.com/apf.php) for a while and have found it to be a pretty flexible and well-organized way to manage my iptables stuff. Have others used this tool? If so, are they happy with it? Any problems with this tool? Anything folks think is better?
Kennedy
PS -- I know this is one of those subjects where this is "no one right answer", but I figure it would be interesting to get various viewpoints.
On 4/11/05, Aleksandar Milivojevic amilivojevic@pbl.ca wrote:
Johnny Hughes wrote:
SO ... if the box needs to do either mDNS or CUPS printer browsing, you need them enabled. If not, you can remove them.
And system-config-securitylevel is going to add them again next time it is run. IMO, the best is to remove system-config-securitylevel and do firewall configuration manually. The stuff that system-config-securitylevel is writing into /etc/sysconfig/iptables isn't exactly tight anyhow. It treats INPUT and FORWARD about the same, no per-interface controll, no source address controll (do you really want to enable ssh access from Internet?), weak controll of ICMP (why allow non-related ICMP messages?), no TCP flags checks, allows RELATED stuff without further checks... just to name few things that are a must in any half-decent Linux/Netfilter based firewall configuration...
-- Aleksandar Milivojevic amilivojevic@pbl.ca Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Kennedy Clark wrote:
I have been using APF (www.rfxnetworks.com/apf.php) for a while and have found it to be a pretty flexible and well-organized way to manage my iptables stuff. Have others used this tool? If so, are they happy with it? Any problems with this tool? Anything folks think is better?
I've never used that tool, but I'm planning on upgrading the company firewall to a simple linux box and then I'll run Firewall Builder (http://www.fwbuilder.org/) to manage it from my workstation. We currently have Checkpoint but that's total overkill for us and a pain to manage, fwbuilder looks like it'll do what we need. Anyone else use it?
--Ajay
Yes, although it looked extremely advanced I was never able to get it to work with CentOS 4 correctly.
I ended up on Shorewall http://www.shorewall.net/ which offers the same level of control, but it was setup, configured and running in an hour.
On Wed, 2005-04-13 at 11:09 -0700, Ajay Sharma wrote:
Kennedy Clark wrote:
I have been using APF (www.rfxnetworks.com/apf.php) for a while and have found it to be a pretty flexible and well-organized way to manage my iptables stuff. Have others used this tool? If so, are they happy with it? Any problems with this tool? Anything folks think is better?
I've never used that tool, but I'm planning on upgrading the company firewall to a simple linux box and then I'll run Firewall Builder (http://www.fwbuilder.org/) to manage it from my workstation. We currently have Checkpoint but that's total overkill for us and a pain to manage, fwbuilder looks like it'll do what we need. Anyone else use it?
--Ajay _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello Johnny,
Thanks for the great links. Looks like I can safely dump these two.
-
Ajay Sharma -
Aleksandar Milivojevic -
Johnny Hughes -
Kennedy Clark -
Mickael Maddison -
ryanag@zoominternet.net