On 11/22/2010 9:11 AM, Robert Moskowitz wrote: > By default, sendmail only listens on the localloop: > > DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl > > But by default to allow sendmail to even work the iptables entry is: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j > ACCEPT > > Without this, sendmail can't even connect to localloop. But should I > handedit this line to something like: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1 > --dport 25 -j ACCEPT > > And once you handedit iptables, you can't use the gnome firewall applet, > I suspect... Every security decision has its own tradeoffs, so first you need to consider what you are trying to protect against. If you don't have a program listening on a port, it doesn't matter whether it is explicitly firewalled or not. A program needs root access to listen on ports below 1024 - and anyone with root access can change the iptables settings too... -- Les Mikesell lesmikesell@xxxxxxxxx _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos