Red Hat Bugzilla – Bug 11425
ipchains man page wrong on ICMP deny/reject handling.
Last modified: 2008-05-01 11:37:55 EDT
ipchains man page states:
ACCEPT means to let the packet through. DENY means to drop the packet
on the floor. REJECT means the same as drop, but is more polite and
easier to debug, since an ICMP message is sent back to the sender
indicating that the packet was dropped. (Note that DENY and REJECT are
the same for ICMP packets).
The last sentence on ICMP is _wrong_. ICMP receives no special treatment
if it's in REJECT mode.
I think this is a 'feature we never remembered to add' problem. Man page
should be changed to reflect the current behaviour though.
This can be easily verified with e.g.:
'ipchains -A input -j REJECT -p icmp'
which produces ICMP port unreachable messages just as UDP/TCP:
01:48:56.045352 netcore.fi > em.netcore.fi: icmp: netcore.fi protocol 1
port 32721 unreachable [tos 0xc0]
An example of the man page patch here (ipchains isn't being maintained anymore
IIRC, so it's up to Redhat to leave it as it is, or to patch it):
--- ipchains.8.orig Tue Jun 27 18:28:53 2000
+++ ipchains.8 Tue Jun 27 18:30:49 2000
@@ -70,7 +70,8 @@
-are the same for ICMP packets).
+are the same for ICMP packets). [Note: this is incorrect; setting ICMP to
+REJECT will cause ICMP port unreachables to be sent!]
is only legal for the forward and user defined chains, and can only be
fixed in rawhide.