Bug 104777

Summary: Broken iptables syntax to allow all ICMP
Product: [Retired] Red Hat Raw Hide Reporter: Dax Kelson <dkelson>
Component: redhat-config-securitylevelAssignee: Brent Fox <bfox>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0CC: mitr, notting
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-10-16 20:12:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2003-09-21 05:41:46 UTC 
Description of problem:

The fix for bug #104561 is broken currently.

To allow ICMP in general use:

-A RH-Firewall-1-INPUT -p icmp -j ACCEPT

Not the incorrect/unsupported syntax:

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

Version-Release number of selected component (if applicable):
redhat-config-securitylevel-1.2.8-2

Question: Given the fact that this rule exists:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Where the RELATED matches any ICMP errors messages that the host needs to see --
why is it wanted that ICMP is allowed in general???
Comment 1 Bill Nottingham 2003-09-22 03:54:58 UTC 
'-p icmp --icmp-type any' is perfectl valid syntax for me. What version of
iptables do you have installed?
Comment 2 Dax Kelson 2003-09-22 04:29:18 UTC 
iptables-1.2.7a-2

I installed redhat-config-securitylevel-1.2.8-2 on RHL9.

I can see someone else might do the same. I would suggest (if you still want to
allow ICMP in general) going with my recommended rule as it will work with old
and new versions of IP Tables:

-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
Comment 3 Brent Fox 2003-10-14 23:10:58 UTC 
notting: should I make redhat-config-securitylevel require iptables >= 1.2.8-12?
Comment 4 Bill Nottingham 2003-10-15 02:52:13 UTC 
You can, it won't hurt.
Comment 5 Brent Fox 2003-10-16 19:41:07 UTC 
notting: what I'm asking is this: will making redhat-config-securitylevel
require a newer iptables solve this problem?  That would prevent someone from
installing the latest r-c-securitylevel on RHL 9 without upgrading iptables as well.
Comment 6 Bill Nottingham 2003-10-16 20:01:03 UTC 
Yes, it will solve that.
Comment 7 Brent Fox 2003-10-16 20:12:00 UTC 
Ok, should be fixed in redhat-config-securitylevel-1.2.11-1 in Rawhide.