FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-22-2010, 02:43 PM
Les Mikesell
 
Default Sendmail, localloop, and iptables -- should I be more paranoid?

On 11/22/2010 9:11 AM, Robert Moskowitz wrote:
> By default, sendmail only listens on the localloop:
>
> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> But by default to allow sendmail to even work the iptables entry is:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
>
> Without this, sendmail can't even connect to localloop. But should I
> handedit this line to something like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
> --dport 25 -j ACCEPT
>
> And once you handedit iptables, you can't use the gnome firewall applet,
> I suspect...

Every security decision has its own tradeoffs, so first you need to
consider what you are trying to protect against. If you don't have a
program listening on a port, it doesn't matter whether it is explicitly
firewalled or not. A program needs root access to listen on ports below
1024 - and anyone with root access can change the iptables settings too...

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-22-2010, 03:06 PM
Robert Moskowitz
 
Default Sendmail, localloop, and iptables -- should I be more paranoid?

On 11/22/2010 10:43 AM, Les Mikesell wrote:
> On 11/22/2010 9:11 AM, Robert Moskowitz wrote:
>
>> By default, sendmail only listens on the localloop:
>>
>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>
>> But by default to allow sendmail to even work the iptables entry is:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> ACCEPT
>>
>> Without this, sendmail can't even connect to localloop. But should I
>> handedit this line to something like:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>> --dport 25 -j ACCEPT
>>
>> And once you handedit iptables, you can't use the gnome firewall applet,
>> I suspect...
>>
> Every security decision has its own tradeoffs, so first you need to
> consider what you are trying to protect against. If you don't have a
> program listening on a port, it doesn't matter whether it is explicitly
> firewalled or not. A program needs root access to listen on ports below
> 1024 - and anyone with root access can change the iptables settings too...

Ah, there is the combination I missed. I was concerned about sendmail
doing what I thought it was suppose to do: only listen on loopback. If
something could change that behaviour, it could also change any iptables
settings.

I have 25 blocked on the firewall anyway. But just looking at the i(s)
and t(s). (while trying not to stuff more angels on the pinhead or some
such metaphor).


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-22-2010, 04:05 PM
Les Mikesell
 
Default Sendmail, localloop, and iptables -- should I be more paranoid?

On 11/22/2010 10:06 AM, Robert Moskowitz wrote:
>
>>>
>>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>>
>>> But by default to allow sendmail to even work the iptables entry is:
>>>
>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>>> ACCEPT
>>>
>>> Without this, sendmail can't even connect to localloop. But should I
>>> handedit this line to something like:
>>>
>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>>> --dport 25 -j ACCEPT
>>>
>>> And once you handedit iptables, you can't use the gnome firewall applet,
>>> I suspect...
>> Every security decision has its own tradeoffs, so first you need to
>> consider what you are trying to protect against. If you don't have a
>> program listening on a port, it doesn't matter whether it is explicitly
>> firewalled or not. A program needs root access to listen on ports below
>> 1024 - and anyone with root access can change the iptables settings
>> too...
>
> Ah, there is the combination I missed. I was concerned about sendmail
> doing what I thought it was suppose to do: only listen on loopback. If
> something could change that behaviour, it could also change any iptables
> settings.
>
> I have 25 blocked on the firewall anyway. But just looking at the i(s)
> and t(s). (while trying not to stuff more angels on the pinhead or some
> such metaphor).

Yes, it is always better to deny anything questionable - and to block at
your border router(s) too, but realistically if someone can get that far
you are fried anyway. Also, even if sendmail does accept remote
connections, it won't relay for them without additional changes to the
config.

--
Les Mikesell
lesmikesell@gmail.com

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-22-2010, 09:52 PM
Alexander Dalloz
 
Default Sendmail, localloop, and iptables -- should I be more paranoid?

Am 22.11.2010 16:11, schrieb Robert Moskowitz:
> By default, sendmail only listens on the localloop:
>
> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> But by default to allow sendmail to even work the iptables entry is:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
>
> Without this, sendmail can't even connect to localloop.

No, that is not correct. You miss to see the following rule

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

in the default /etc/sysconfig/iptables config file. So there is no
problem where you see one.

> But should I
> handedit this line to something like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
> --dport 25 -j ACCEPT
>
> And once you handedit iptables, you can't use the gnome firewall applet,
> I suspect...

Alexander

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:26 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org