Why are these ports open in iptables on new FC4 install?

Scot L. Harris webid at cfl.rr.com
Sun Feb 12 14:50:36 UTC 2006

On Sun, 2006-02-12 at 09:29 +0800, John Summerfied wrote:
> Scot L. Harris wrote:
> > Looked through the release notes and did not see anything related to
> > ports 5353, 50, 51, or 631.
> > 
> > Why is port 5353 open by default?  From searching around this appears to
> > have something to do with multi cast DNS which seems to be tied to Apple
> > iTunes.  I don't believe I installed anything that would need access to
> > Apple iTunes.
> Nothing to do with ITunes per se. Google for zeroconf, for apple+bonjour 
> and apple+rendezvous

Zeroconf, have yet to find that useful.  I generally get around to
turning that off in /etc/sysconfig/network. 

> A lot of people are likely to want it, and most of those are not 
> competent to configure it.
> > 
> > I also don't understand why ports 50 and 51 are open.  I don't plan on
> > setting up a VPN at the moment and I don't know why these would be open
> > by default on a new install.
> Seems to me if you are one who's using IP6 it's something you'd want. If 
> there's no IP6 around in your area, I don't see a problem.

So leave these ports open by default?  Seems like those would be ports I
would try to setup a service on if I managed to get into a system then.
Particularly since the majority of people are not using them for
anything.  I don't have to mess with iptables which means it is harder
for the admin to detect that I am on the system.

> > 
> > I'm also wondering about port 631 being open by default.  I know this is
> > used for ipp printing but I have not setup this machine to provide print
> > services yet.
> If you want to print _from_ it I suspect you'll want it. Printing works 
> better on my Linux boxes than from my OS X and Windows. Printers come 
> and go (as seen from my laptop) depending on which LAN it's on.
> If you are not running CUPS, then nobody going to sucessfully send you 
> UDP packets tp port 631.

I just checked and with port 631 blocked I can still access the cups
configuration via the web browser http://localhost:631.  

Why again is this open to the world?  Why do I want someone external to
the box to be able to configure printers?

> > 
> > Is there a bugzilla entry on closing these?  Or is there a reason these
> > ports are left open?  
> Open ports are perfectly secure if there's nothing listening.
> > 
> ps
> You didn't say what your security setting is.

Which security setting?  Firewall is enabled, selinux is enabled.
Looking directly at iptables from a clean install there are ports open
which IMHO should be closed by default.  If the user installs a service
that uses these ports they should be notified that the firewall is being
adjusted.  This is similar to the changes NTP inserted into iptables a
while back.  There was no need for NTP to carve holes automagically in
the firewall.  I see that issue was resolved.

And if you have nothing listening on those ports why have them open?
Agreed, nothing can happen if there is no service on them.  So why not
open up all the other ports on the system that nothing is listening on?
It is bad practice.  Better to lock it all down then only open those
things the user is using.  At least then the user knows the potential
vectors for someone to gain access on the off chance that some process
starts up that uses that port.  And if a hacker some how gets code to
execute on the system having such ports open by default allows them to
use those openings for their own back doors.  "I don't know how the
hacker keeps getting back in.  My iptables has all the default

More information about the users mailing list