Bug 104777 - Broken iptables syntax to allow all ICMP
Broken iptables syntax to allow all ICMP
Status: CLOSED RAWHIDE
Product: Red Hat Raw Hide
Classification: Retired
Component: redhat-config-securitylevel (Show other bugs)
1.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Brent Fox
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-09-21 01:41 EDT by Dax Kelson
Modified: 2007-04-18 12:57 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-10-16 16:12:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2003-09-21 01:41:46 EDT
Description of problem:

The fix for bug #104561 is broken currently.

To allow ICMP in general use:

-A RH-Firewall-1-INPUT -p icmp -j ACCEPT

Not the incorrect/unsupported syntax:

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

Version-Release number of selected component (if applicable):
redhat-config-securitylevel-1.2.8-2

Question: Given the fact that this rule exists:

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Where the RELATED matches any ICMP errors messages that the host needs to see --
why is it wanted that ICMP is allowed in general???
Comment 1 Bill Nottingham 2003-09-21 23:54:58 EDT
'-p icmp --icmp-type any' is perfectl valid syntax for me. What version of
iptables do you have installed?
Comment 2 Dax Kelson 2003-09-22 00:29:18 EDT
iptables-1.2.7a-2

I installed redhat-config-securitylevel-1.2.8-2 on RHL9.

I can see someone else might do the same. I would suggest (if you still want to
allow ICMP in general) going with my recommended rule as it will work with old
and new versions of IP Tables:

-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
Comment 3 Brent Fox 2003-10-14 19:10:58 EDT
notting: should I make redhat-config-securitylevel require iptables >= 1.2.8-12?
Comment 4 Bill Nottingham 2003-10-14 22:52:13 EDT
You can, it won't hurt.
Comment 5 Brent Fox 2003-10-16 15:41:07 EDT
notting: what I'm asking is this: will making redhat-config-securitylevel
require a newer iptables solve this problem?  That would prevent someone from
installing the latest r-c-securitylevel on RHL 9 without upgrading iptables as well.
Comment 6 Bill Nottingham 2003-10-16 16:01:03 EDT
Yes, it will solve that.
Comment 7 Brent Fox 2003-10-16 16:12:00 EDT
Ok, should be fixed in redhat-config-securitylevel-1.2.11-1 in Rawhide.

Note You need to log in before you can comment on or make changes to this bug.