Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 84269 - redhat-config-securitylevel doesn't configure loopback correctly
Summary: redhat-config-securitylevel doesn't configure loopback correctly
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: gnome-lokkit
Version: 8.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Christopher Aillon
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-02-13 20:52 UTC by Wes Kaufmann
Modified: 2007-04-18 16:51 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-10-18 16:30:58 UTC


Attachments (Terms of Use)

Description Wes Kaufmann 2003-02-13 20:52:31 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
I used redhat-config-securitylevel to initally setup iptables.  When selecting
to trust the loopback or the eth0 interface each time it permits all from
anywhere. This is a problem since that X (tcp 6000) is than exposed. 

Editing iptables in sysconfig has the same results so this doesn't seem like a
bug just with redhat-config-securitylevel.  Here's sysconfig/iptables and the
results of iptables -L.  If I remove loop back than the permit all anywhere
anywhere goes away.

IP addresses are sanitized

root@redrock sysconfig]# cat iptables
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
#-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.2 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 10.10.10.1 --sport 123 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

[root@redrock sysconfig]# /sbin/iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp spt:ntp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
flags:SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  somehost.gov  anywhere           udp spt:domain
ACCEPT     udp  --  somehost.gov   anywhere           udp spt:domain
ACCEPT     udp  --  somehost.gov  anywhere           udp spt:ntp
REJECT     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp reject-with
icmp-port-unreachable


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.edit sysconfig
2. comment out or uncomment lo or eth0
3. test if tcp 6000 is exposed
    

Actual Results:  Connectivity is exposed to 6000 or if lo and eth0 are removed
than no connectivity.

Expected Results:  Entering in lo shoud only permit lo to lo.

Additional info:

Comment 1 Bill Nottingham 2003-02-13 21:16:41 UTC
How are you testing that it is exposed? Simply with iptables -L?

Comment 2 Wes Kaufmann 2003-02-14 02:03:13 UTC
Ran a couple of different scans agains the box.  The easiest was to just telnet 
to port 6000 and sure enough it accepted the connection

Comment 3 Bill Nottingham 2006-08-07 19:06:33 UTC
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.

Comment 4 Bill Nottingham 2006-10-18 16:30:58 UTC
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.


Note You need to log in before you can comment on or make changes to this bug.