system-config-securitylevel (partially) useless?
Sjoerd Mullender
sjoerd at acm.org
Tue Jun 12 20:37:57 UTC 2007
On 06/12/2007 12:33 AM, David Timms wrote:
> Sjoerd Mullender wrote:
>> I just discovered the checkmark with file selector "Use the custom rules
>> file" in the Advanced Options tab of system-config-securitylevel (System
>> -> Administration -> Firewall and SELinux). Is it me or is it totally
>> useless?
>>
>> The blurb says that you can add additional rules to be added after the
>> defaults. So the rules that you add are added after the rule
>>
>> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
>>
>> which means that your extra rules are never actually used. All input
>> packets have already been directed to the REJECT rule by the time the
>> extra rules are seen.
>>
>> Or am I missing something here?
>>
>> If it's not me but the program, I'll bugzilla this.
>>
>> This is in Fedora7 and system-config-securitylevel-1.7.0-1.fc7.
> So maybe you can iptables --list before and after you try it out, and
> tell us where the rule gets inserted ?
>
> If it works correctly you could file a bug for the help text, if not
> file a bug about it not working and why.
>
> DaveT.
>
Before:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with
icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT 0 -- anywhere anywhere reject-with
icmp-host-prohibited
#
Then I checked the box and selected the file. Result afterward:
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT 0 -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT 0 -- anywhere anywhere reject-with
icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (1 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT 0 -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW
tcp dpt:ssh
REJECT 0 -- anywhere anywhere reject-with
icmp-host-prohibited
ACCEPT 0 -- 192.168.244.0/24 anywhere
#
Note that the reject rule is before the new entry (I added a file with a
single line
-A RH-Firewall-1-INPUT -s 192.168.244.0/255.255.255.0 -i vmnet8 -j ACCEPT
)
It may be clearer to look at the generated file /etc/sysconfig/iptables:
# cat iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A RH-Firewall-1-INPUT -s 192.168.244.0/255.255.255.0 -i vmnet8 -j ACCEPT
COMMIT
--
Sjoerd Mullender
More information about the users
mailing list