Hello CentOS, I'm curious... there seems to be a couple of default firewall rules that I'm not familiar with in the CentOS 4.0 # Firewall configuration written by system-config-securitylevel # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Particularly, the 5353 udp allowing from 224.0.0.251 and the 631 udp. Anyone know what these are for, and if they should be disabled? -- Best regards, Mickael mailto:mike at kamloopsbc.com
On Sun, 2005-04-10 at 20:24 -0700, Mickael Maddison wrote:
{snip}> I'm curious... there seems to be a couple of default firewall rules
> that I'm not familiar with in the CentOS 4.0
These are also present in RHEL-4 and FC-3 from RedHat :)
{snip}> Particularly, the 5353 udp allowing from 224.0.0.251 and the 631 udp.
> Anyone know what these are for, and if they should be disabled?
The 5353 udp is multicast DNS (or mDNS for short) ... here are a couple
links:
http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt
http://www.multicastdns.org/
The 631 udp port is for "Internet Printing Protocol". It is how cupsd
sees external printers. Here are some details:
http://mirror.centos.org/centos/4/docs/html/rhel-sag-en-4/s1-printing-sharing.html
-------------------------------------------
Also ... specifically from the RHEL-4 release notes:
"system-config-securitylevel
The firewall constructed by the system-config-securitylevel
configuration tool now allows CUPS and Multicast DNS (mDNS) browsing.
Note that, at the present time, these services cannot be disabled by
system-config-securitylevel."
-------------------------------------------
SO ... if the box needs to do either mDNS or CUPS printer browsing, you
need them enabled. If not, you can remove them.
Thanks,
Johnny Hughes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.centos.org/pipermail/centos/attachments/20050411/b28ae28c/attachment-0001.sig>
Johnny Hughes wrote:> SO ... if the box needs to do either mDNS or CUPS printer browsing, you > need them enabled. If not, you can remove them.And system-config-securitylevel is going to add them again next time it is run. IMO, the best is to remove system-config-securitylevel and do firewall configuration manually. The stuff that system-config-securitylevel is writing into /etc/sysconfig/iptables isn't exactly tight anyhow. It treats INPUT and FORWARD about the same, no per-interface controll, no source address controll (do you really want to enable ssh access from Internet?), weak controll of ICMP (why allow non-related ICMP messages?), no TCP flags checks, allows RELATED stuff without further checks... just to name few things that are a must in any half-decent Linux/Netfilter based firewall configuration... -- Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
Hello Johnny,
Thanks for the great links. Looks like I can safely dump these two.
--
Best regards,
Mickael
mailto:mike at kamloopsbc.com
Monday, April 11, 2005, 3:22:49 AM, you wrote:
JH> On Sun, 2005-04-10 at 20:24 -0700, Mickael Maddison wrote:
JH> {snip}>> I'm curious... there seems to be a couple of default firewall rules
>> that I'm not familiar with in the CentOS 4.0
JH> These are also present in RHEL-4 and FC-3 from RedHat :)
JH> {snip}>> Particularly, the 5353 udp allowing from 224.0.0.251 and the 631 udp.
>> Anyone know what these are for, and if they should be disabled?
JH> The 5353 udp is multicast DNS (or mDNS for short) ... here are a couple
JH> links:
JH> http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt
JH> http://www.multicastdns.org/
JH> The 631 udp port is for "Internet Printing Protocol". It is
how cupsd
JH> sees external printers. Here are some details:
JH>
http://mirror.centos.org/centos/4/docs/html/rhel-sag-en-4/s1-printing-sharing.html
JH> -------------------------------------------
JH> Also ... specifically from the RHEL-4 release notes:
JH> "system-config-securitylevel
JH> The firewall constructed by the system-config-securitylevel
JH> configuration tool now allows CUPS and Multicast DNS (mDNS) browsing.
JH> Note that, at the present time, these services cannot be disabled by
JH> system-config-securitylevel."
JH> -------------------------------------------
JH> SO ... if the box needs to do either mDNS or CUPS printer browsing, you
JH> need them enabled. If not, you can remove them.
JH> Thanks,
JH> Johnny Hughes
JH> __________ NOD32 1.1056 (20050411) Information __________
JH> This message was checked by NOD32 antivirus system.
JH> http://www.nod32.com