Cent 5.8 Firewall allowing 224.0.0.251 on port 5353

[leslie_jones]

Just wondering if anyone can shed light on why a default install of CentOS has this line:

[code]
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
[/code]

In /etc/sysconfig/iptables

I'm not sure why it opens this up, and Google reveals little other than it is 'multicast DNS' (plus a ton of conspiracy theories).

As these are all default rules - I changed nothing on the standard desktop install from DVD - I'm also interested to know why/thinking behind:

22 to allow remote SSH right from kickoff of a new system - before any hardening can take place.
25 being opened up leaving Sendmail in a semi-vulnerable state
50 & 51 being opened up
80 & 443 being opened up despite no Apache or HTTP server
631 when CUPSD won't even be used, or a printer attached.

The big one is the 5353 open to the unknown multicast address. I've seen this before in Cent and never known why it is there.

[code]
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT [code]-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT[/code]
[/code]
I guess I would have expected to open them as I needed them after installing suitable services if needed, rather than having the machine sat with it's pants down waiting for trouble! I must be missing something really obvious I guess? Can anyone shed any light on it? :-)

[gerald_clark]

The only port open by default is 22.
You need some way to get in to do your post install configuration.

[leslie_jones]

I beg to differ. It's a vanilla install of 5.8 with no services on it at all and all of that was open by default. No help from me at all.
To make sure, I've just run through the 5.8 install again on a Virtual Machine and it's reproduced it.

My main interest is this and I'm still no closer to what this is:

[code]-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT [code]-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT[/code]

and just why it has appeared in all the Cent distro's I've tried in the 5.x series.

[leslie_jones]

The mystery is solved:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT [code]-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

is this:

"Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. This enables you to plug your laptop or computer into a network and instantly be able to view other people who you can chat with, find printers to print to or find files being shared."

It looks like a default item and I'm not sure I'm comfortable with it doing what it does.

[jlehtone]

224.0.0.0/4 is the IPv4 address segment for multicasting.
224.0.0.251 is for multicast DNS (mDNS).

I'm not fond of nor understand Avahi, and in CentOS 6 that port is not open by default.