Firewall disabled by default ______related lsmod issues

Support for security such as Firewalls and securing linux
Post Reply
Black_Heart
Posts: 16
Joined: 2011/12/23 05:40:00

Firewall disabled by default ______related lsmod issues

Post by Black_Heart » 2012/01/19 00:20:59

Late October install of CentOS 5.7
SElinux set to enforcing/enforcing/targeted
System working normally

Problems: attempted to access iptables to close ports but iptables not enabled.
attempted to run lsmod, modprobe and depmod to check iptables/ip_tables.
lsmod, modprobe and depmod are not installed.
after starting iptables, Ports 631 and 5353, CUPS and multicast, are "Accepted."

Questions: For a system set to Enforcing, why is iptables disabled by default?
Two (risky?) Ports are Accepted by default on starting the above firewall.
Can these Ports be restricted to localhost? OK to kill multicast?
[in system-config-securitylevel, no checkboxes are enabled]
Any vulnerability if installing modprobe, etc pkgs?


[root@localhost XXXX]# rpm -q iptables
iptables-1.3.5-5.3.el5_4.1
[root@localhost XXXX]# lsmod | grep ip_tables
bash: lsmod: command not found
[root@localhost XXXX]# iptables -L
bash: iptables: command not found
[root@localhost XXXX]# system-config-securitylevel
[root@localhost XXXX]# lsmod | grep ip_tables
bash: lsmod: command not found

[XXXX@localhost ~]$ /etc/init.d/iptables status
Firewall is not configured.

[root@localhost XXXX]# /etc/init.d/iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy XXXX: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

[root@localhost XXXX]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

[root@localhost XXXX]# /etc/init.d/iptables status [cut]
*ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353

*RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
*RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

[root@localhost XXXX]# lsmod | grep ip_tables
bash: lsmod: command not found
[root@localhost XXXX]# lsmod.old | grep ip_tables
bash: lsmod.old: command not found
[root@localhost XXXX]# rpm -q lsmod
package lsmod is not installed

[root@localhost XXXX]# modprobe -c --showconfig
bash: modprobe: command not found
[root@localhost XXXX]# rpm -q modprobe
package modprobe is not installed

[root@localhost XXXX]# depmod -n --dry-run
bash: depmod: command not found
[root@localhost XXXX]# rpm -q depmod
package depmod is not installed

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Firewall disabled by default ______related lsmod issues

Post by unspawn » 2012/01/19 06:21:05

[quote]Black_Heart wrote:
For a system set to Enforcing, why is iptables disabled by default?
[/quote]
While related from a security point of view they are two separate items at the configuration level.


[quote]Black_Heart wrote:
Two (risky?) Ports are Accepted by default on starting the above firewall.
Can these Ports be restricted to localhost?
[/quote]
Yes they can.


[quote]Black_Heart wrote:
OK to kill multicast?
[in system-config-securitylevel, no checkboxes are enabled]
[/quote]
Sure, just modify the rule if you think you don't need mcast.


[quote]Black_Heart wrote:
Any vulnerability if installing modprobe, etc pkgs?
[/quote]
If there's vulns they'll be fixed. Any LKM ops require root privileges anyway.


[quote]Black_Heart wrote:
[XXXX@localhost ~]$ /etc/init.d/iptables status
Firewall is not configured. [/quote]
Use the system-config-securitylevel (IIRC) tool or see the "RH-Firewall-1" chain is listed in Centos documentation or use your own rules.


[quote]Black_Heart wrote:
[root@localhost XXXX]# /etc/init.d/iptables start
[root@localhost XXXX]# /etc/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ][/quote]
IMHO it does not make much sense to start the firewall and then use "save" w/o making any changes?


[quote]Black_Heart wrote:
[root@localhost XXXX]# /etc/init.d/iptables status [cut]
*ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
*RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
*RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT [/quote]


[quote]Black_Heart wrote:
[root@localhost XXXX]# lsmod | grep ip_tables
bash: lsmod: command not found[/quote]
See if /sbin is in your path statement or prefix it.


[quote]Black_Heart wrote:
[root@localhost XXXX]# rpm -q lsmod
package lsmod is not installed[/quote]
No, that would be 'rpm -qf /sbin/modprobe' (which returns "module-init-tools"), or 'rpm -ql module-init-tools|grep lsmod' if you know the package name or the inefficient 'rpm -qa --dump|grep lsmod'.

Black_Heart
Posts: 16
Joined: 2011/12/23 05:40:00

Re: Firewall disabled by default ______related lsmod issues

Post by Black_Heart » 2012/01/21 03:43:27

Thank you.
I understand iptables and SElinux are separate items at the configuration level.
Point was that it makes no sense to tell an embedded SElinux to Enforce and have
the system fail to enable the most rudimentary protection.

My question about restricting the two Accepted ports to localhost was more a
question of the advisability of doing this and, if sensible, how? It may be that I don't
understand protocols here.

Question asked about multicast was not so much whether I wanted it, more like
is there a good reason to leave it active.

As for installing modprobe and related, my concern was that these might weaken security. ?

Saving the firewall settings after enabling was something I thought was needed to confirm defaults.

Thanks for the last few bits there. These were helpful. Peace.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Firewall disabled by default ______related lsmod issues

Post by pschaff » 2012/01/21 12:14:00

The firewall [b]is[/b] enabled by default in most installs I have ever done. It is not clear how you installed, but if you are doing a very minimal install, or using kickstart, or some other custom method (as indicated by the absence of something as basic as lsmod from module-init-tools), the implicit assumption is that you know how to handle the situation. Don't blame the distro, or [url=http://wiki.centos.org/FAQ/General?highlight=%28TUV%29#head-d29a2b7e61ffc544973098f9dd49fe4663efba50]TUV[/url] for a system administrator's failure to assure security.

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Firewall disabled by default ______related lsmod issues

Post by unspawn » 2012/01/21 16:46:55

[quote]Black_Heart wrote:
My question about restricting the two Accepted ports to localhost was more a question of the advisability of doing this and, if sensible, how? It may be that I don't understand protocols here. [/quote]
I don't think anyone would want to allow access to print services over the 'net. So if you need printing then it'll be localhost or over the LAN and it makes sense to restrict access.


[quote]Black_Heart wrote:
Question asked about multicast was not so much whether I wanted it, more like is there a good reason to leave it active.[/quote]
On Linux Avahi can identify networked printers, servers, etc so if you don't need you know what to do.


[quote]Black_Heart wrote:
As for installing modprobe and related, my concern was that these might weaken security. ?[/quote]
Linux Kernel Module operations require root privileges so the attacker needs to gain root privileges first.


[quote]Black_Heart wrote:
Saving the firewall settings after enabling was something I thought was needed to confirm defaults.[/quote]
The firewall rules reside in /etc/sysconfig/iptables. That's static content. 'iptables' loads rules if you run 'service iptables start'. After loading the most current status wrt rule additions or deletions (fail2ban or equivalent) or traffic data (iptables "recent" or other module data, packet counters) resides in the kernel. So running "/etc/init.d/iptables save" is only necessary fi you need to save changes.

Post Reply