On Tue, 2006-02-14 at 07:28 +1030, Tim wrote: > I don't have a default set-up machine to look at, but surely this > shouldn't be open to all, just the LAN. What is the default setting in > that regard? > Below are the rules that were in iptables after a clean install with a full yum update. While I don't believe having protocols 50,51 and udp ports 5353 and 631 open pose an immediate security threat I think it is bad practice for these to be open without being selected by the user or notifying the user that these are open. I am also not sure but I suspect that specific rpm packages installed may have added these in. IMHO no rpm package should automagically change a systems firewall settings. Any firewall settings should be done when the admin configures or enables the service. And the admin should know these changes are being made. -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -p 50 -j ACCEPT -A RH-Firewall-1-INPUT -p 51 -j ACCEPT -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
