Bug 157732

Summary: A default firewall bug in rules of /etc/sysconfig/iptables
Product: [Fedora] Fedora Reporter: hipodilski <hipo>
Component: system-config-securitylevelAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-22 11:41:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description hipodilski 2005-05-14 08:41:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050417 Fedora/1.7.7-1.3.1

Description of problem:
ICMP dest unrch (host comm denied) (84 bytes) from 10.10.10.13 to 10.10.10.1 on eth0. Running iptraf I see error messages like that periodically.
Our router has ip of 10.10.10.1. Removing the following rule from
/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited.
and restarting the iptables service fixes the problem.

Version-Release number of selected component (if applicable):
Linux davidian 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 athlon i386 GNU/Linux

How reproducible:
Always

Steps to Reproduce:
1. Default install
2. Running the default firewall
3.
  

Additional info:
Comment 1 Thomas Woerner 2005-05-17 08:40:44 UTC 
The default firewall configuration is generated in anaconda.
Comment 2 Chris Lumens 2005-05-24 19:23:09 UTC 
Yes, that is the default rule that will block anything not specifically allowed
by the previous rules.  What are you trying to do and what ports/protocols does
it use?  Most likely, you just need to add that information to the "other ports"
field in system-config-securitylevel to allow the service.
Comment 3 hipodilski 2005-05-25 07:31:47 UTC 
I'm not trying to do anything. And i receive this error message from the router.
Every few seconds. Removing the rule i don't get the "ICMP dest unreachable"
message. And everything seems to be okay.
Comment 4 Matthew Miller 2006-07-10 21:30:29 UTC 
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 5 Thomas Woerner 2007-05-22 11:41:21 UTC 
Dropping the reject rule will open up the firewall for all traffic. Therefgore
this is no solution at all.
icmp-host-prohibited is a valid reject type and the router should honor this.
This is not a bug in the firewall configuration, it is a bug in the router
configuration - some kind of availability check.

Closing as "NOT A BUG".