Re: Sendmail, localloop, and iptables -- should I be more paranoid?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 11/22/2010 10:43 AM, Les Mikesell wrote:
> On 11/22/2010 9:11 AM, Robert Moskowitz wrote:
>    
>> By default, sendmail only listens on the localloop:
>>
>> DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
>>
>> But by default to allow sendmail to even work the iptables entry is:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
>> ACCEPT
>>
>> Without this, sendmail can't even connect to localloop.  But should I
>> handedit this line to something like:
>>
>> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -d 127.0.0.1
>> --dport 25 -j ACCEPT
>>
>> And once you handedit iptables, you can't use the gnome firewall applet,
>> I suspect...
>>      
> Every security decision has its own tradeoffs, so first you need to
> consider what you are trying to protect against.  If you don't have a
> program listening on a port, it doesn't matter whether it is explicitly
> firewalled or not.  A program needs root access to listen on ports below
> 1024 - and anyone with root access can change the iptables settings too...

Ah, there is the combination I missed.  I was concerned about sendmail 
doing what I thought it was suppose to do:  only listen on loopback.  If 
something could change that behaviour, it could also change any iptables 
settings.

I have 25 blocked on the firewall anyway.  But just looking at the i(s) 
and t(s). (while trying not to stuff more angels on the pinhead or some 
such metaphor).


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux