467630 – iptables and ip6tables aren't configured on LiveCD --> no firewall at all

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 467630 - iptables and ip6tables aren't configured on LiveCD --> no firewall at all

Summary: iptables and ip6tables aren't configured on LiveCD --> no firewall at all

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	spin-kickstarts
Sub Component:
Version:	11
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	---
Assignee:	Jeroen van Meeuwen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F11Target
TreeView+	depends on / blocked

Reported:	2008-10-19 17:01 UTC by Charles R. Anderson
Modified:	2013-01-10 04:51 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-08-25 15:11:06 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Charles R. Anderson 2008-10-19 17:01:52 UTC

Description of problem:

When running a LiveCD, there are no firewall rules configured.  This is a big security risk because there are services listening on network sockets by default.  There really should be a default set of firewall rules in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for the LiveCD case.

Version-Release number of selected component (if applicable):
F10-Snap2

Additional info:

Inet sockets that are bound on LiveCD:

udp        0      0 0.0.0.0:68                  0.0.0.0:*                               3086/dhclient
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      2728/rpcbind
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               2728/rpcbind
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               3156/cupsd
udp        0      0 0.0.0.0:779                 0.0.0.0:*                               2728/rpcbind
udp        0      0 0.0.0.0:799                 0.0.0.0:*                               2743/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               3118/avahi-daemon:
udp        0      0 0.0.0.0:33846               0.0.0.0:*                               3118/avahi-daemon:
tcp        0      0 0.0.0.0:36319               0.0.0.0:*                   LISTEN      2743/rpc.statd
udp        0      0 0.0.0.0:50943               0.0.0.0:*                               2743/rpc.statd

Comment 1 Jeremy Katz 2008-10-21 14:49:20 UTC

Hmm, apparently we've been doing this all the way since the initial live images for Fedora Core 6 were built.  I'm a little bit wary of changing things such that there's a firewall running with this little time left in the F10 cycle :-/

Comment 2 Bug Zapper 2008-11-26 04:00:40 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Bug Zapper 2009-06-09 09:48:53 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Mads Kiilerich 2009-06-16 18:53:31 UTC

IIRC I noticed that this has been solved in Fedora 11, probably by fedora-live-base.ks having "firewall --enabled --service=mdns"

Note You need to log in before you can comment on or make changes to this bug.