FC5 iptables issue
John Summerfield
debian at herakles.homelinux.org
Thu Mar 23 12:36:14 UTC 2006
Scot L. Harris wrote:
> A while back I noted some unexpected entries being allowed through
> iptables in FC4 on a clean install. I filed a bug report on this
> #181397.
>
> It appears that FC5 still has similar issues.
>
> 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
> 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
> 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp
> dpt:5353
> 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
> dpt:631
> 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> dpt:631
>
>
> I don't see any reason that want to allow UDP traffic to port 5353.
> And I don't believe I want to allow traffic to port 631, no reason for
> anyone to be accessing the cups configuration from the network.
>
> This was a clean install of FC5.
>
>
I think I've answered this before, and I don't think you will win this one.
UDP 5353 is used by Apples to discover services. Read up on zeroconf. If
you are not running software to listen to port 5353, there is no great
advantage to you in blocking it with your firewall. OTOH a user who does
have something there almost certainly wants the port open.
In a similar vein, cups servers can communicate with each other by UDP
broadcasts to port 631. It's how my laptop automatically discovers
printers at home, and different printers at work. If you're printing on
a network, you probably want it open.
TCP port 631 is different, and unless something's changed recently,
there's nothing listening to any external interface on port 631.
Firewall rules will make absolutely no difference.
More information about the fedora-list
mailing list