Robert Moskowitz
2010-Nov-22 15:11 UTC
[CentOS] Sendmail, localloop, and iptables -- should I be more paranoid?
By default, sendmail only listens on the localloop: DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl But by default to allow sendmail to even work the iptables entry is: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT Without this, sendmail can't even connect to localloop. But should I handedit this line to something like: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1 --dport 25 -j ACCEPT And once you handedit iptables, you can't use the gnome firewall applet, I suspect...
Les Mikesell
2010-Nov-22 15:43 UTC
[CentOS] Sendmail, localloop, and iptables -- should I be more paranoid?
On 11/22/2010 9:11 AM, Robert Moskowitz wrote:> By default, sendmail only listens on the localloop: > > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > > But by default to allow sendmail to even work the iptables entry is: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j > ACCEPT > > Without this, sendmail can't even connect to localloop. But should I > handedit this line to something like: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1 > --dport 25 -j ACCEPT > > And once you handedit iptables, you can't use the gnome firewall applet, > I suspect...Every security decision has its own tradeoffs, so first you need to consider what you are trying to protect against. If you don't have a program listening on a port, it doesn't matter whether it is explicitly firewalled or not. A program needs root access to listen on ports below 1024 - and anyone with root access can change the iptables settings too... -- Les Mikesell lesmikesell at gmail.com
Alexander Dalloz
2010-Nov-22 22:52 UTC
[CentOS] Sendmail, localloop, and iptables -- should I be more paranoid?
Am 22.11.2010 16:11, schrieb Robert Moskowitz:> By default, sendmail only listens on the localloop: > > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > > But by default to allow sendmail to even work the iptables entry is: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j > ACCEPT > > Without this, sendmail can't even connect to localloop.No, that is not correct. You miss to see the following rule -A RH-Firewall-1-INPUT -i lo -j ACCEPT in the default /etc/sysconfig/iptables config file. So there is no problem where you see one.> But should I > handedit this line to something like: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1 > --dport 25 -j ACCEPT > > And once you handedit iptables, you can't use the gnome firewall applet, > I suspect...Alexander