Description of problem: The fix for bug #104561 is broken currently. To allow ICMP in general use: -A RH-Firewall-1-INPUT -p icmp -j ACCEPT Not the incorrect/unsupported syntax: -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT Version-Release number of selected component (if applicable): redhat-config-securitylevel-1.2.8-2 Question: Given the fact that this rule exists: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT Where the RELATED matches any ICMP errors messages that the host needs to see -- why is it wanted that ICMP is allowed in general???
'-p icmp --icmp-type any' is perfectl valid syntax for me. What version of iptables do you have installed?
iptables-1.2.7a-2 I installed redhat-config-securitylevel-1.2.8-2 on RHL9. I can see someone else might do the same. I would suggest (if you still want to allow ICMP in general) going with my recommended rule as it will work with old and new versions of IP Tables: -A RH-Firewall-1-INPUT -p icmp -j ACCEPT
notting: should I make redhat-config-securitylevel require iptables >= 1.2.8-12?
You can, it won't hurt.
notting: what I'm asking is this: will making redhat-config-securitylevel require a newer iptables solve this problem? That would prevent someone from installing the latest r-c-securitylevel on RHL 9 without upgrading iptables as well.
Yes, it will solve that.
Ok, should be fixed in redhat-config-securitylevel-1.2.11-1 in Rawhide.