Sendmail, localloop, and iptables -- should I be more paranoid?
On 11/22/2010 9:11 AM, Robert Moskowitz wrote:
> By default, sendmail only listens on the localloop:
>
> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> But by default to allow sendmail to even work the iptables entry is:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
>
> Without this, sendmail can't even connect to localloop. But should I
> handedit this line to something like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
> --dport 25 -j ACCEPT
>
> And once you handedit iptables, you can't use the gnome firewall applet,
> I suspect...
Every security decision has its own tradeoffs, so first you need to
consider what you are trying to protect against. If you don't have a
program listening on a port, it doesn't matter whether it is explicitly
firewalled or not. A program needs root access to listen on ports below
1024 - and anyone with root access can change the iptables settings too...
--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-22-2010, 03:06 PM
Robert Moskowitz
Sendmail, localloop, and iptables -- should I be more paranoid?
On 11/22/2010 10:43 AM, Les Mikesell wrote:
> On 11/22/2010 9:11 AM, Robert Moskowitz wrote:
>
>> By default, sendmail only listens on the localloop:
>>
>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>
>> But by default to allow sendmail to even work the iptables entry is:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> ACCEPT
>>
>> Without this, sendmail can't even connect to localloop. But should I
>> handedit this line to something like:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>> --dport 25 -j ACCEPT
>>
>> And once you handedit iptables, you can't use the gnome firewall applet,
>> I suspect...
>>
> Every security decision has its own tradeoffs, so first you need to
> consider what you are trying to protect against. If you don't have a
> program listening on a port, it doesn't matter whether it is explicitly
> firewalled or not. A program needs root access to listen on ports below
> 1024 - and anyone with root access can change the iptables settings too...
Ah, there is the combination I missed. I was concerned about sendmail
doing what I thought it was suppose to do: only listen on loopback. If
something could change that behaviour, it could also change any iptables
settings.
I have 25 blocked on the firewall anyway. But just looking at the i(s)
and t(s). (while trying not to stuff more angels on the pinhead or some
such metaphor).
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-22-2010, 04:05 PM
Les Mikesell
Sendmail, localloop, and iptables -- should I be more paranoid?
On 11/22/2010 10:06 AM, Robert Moskowitz wrote:
>
>>>
>>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>>
>>> But by default to allow sendmail to even work the iptables entry is:
>>>
>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>>> ACCEPT
>>>
>>> Without this, sendmail can't even connect to localloop. But should I
>>> handedit this line to something like:
>>>
>>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>>> --dport 25 -j ACCEPT
>>>
>>> And once you handedit iptables, you can't use the gnome firewall applet,
>>> I suspect...
>> Every security decision has its own tradeoffs, so first you need to
>> consider what you are trying to protect against. If you don't have a
>> program listening on a port, it doesn't matter whether it is explicitly
>> firewalled or not. A program needs root access to listen on ports below
>> 1024 - and anyone with root access can change the iptables settings
>> too...
>
> Ah, there is the combination I missed. I was concerned about sendmail
> doing what I thought it was suppose to do: only listen on loopback. If
> something could change that behaviour, it could also change any iptables
> settings.
>
> I have 25 blocked on the firewall anyway. But just looking at the i(s)
> and t(s). (while trying not to stuff more angels on the pinhead or some
> such metaphor).
Yes, it is always better to deny anything questionable - and to block at
your border router(s) too, but realistically if someone can get that far
you are fried anyway. Also, even if sendmail does accept remote
connections, it won't relay for them without additional changes to the
config.
--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
11-22-2010, 09:52 PM
Alexander Dalloz
Sendmail, localloop, and iptables -- should I be more paranoid?
Am 22.11.2010 16:11, schrieb Robert Moskowitz:
> By default, sendmail only listens on the localloop:
>
> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>
> But by default to allow sendmail to even work the iptables entry is:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
> ACCEPT
>
> Without this, sendmail can't even connect to localloop.
No, that is not correct. You miss to see the following rule
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
in the default /etc/sysconfig/iptables config file. So there is no
problem where you see one.
> But should I
> handedit this line to something like:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
> --dport 25 -j ACCEPT
>
> And once you handedit iptables, you can't use the gnome firewall applet,
> I suspect...
Alexander
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Sendmail, localloop, and iptables -- should I be more paranoid?
