Bug 157732 - A default firewall bug in rules of /etc/sysconfig/iptables
A default firewall bug in rules of /etc/sysconfig/iptables
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel (Show other bugs)
3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-14 04:41 EDT by hipodilski
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-22 07:41:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description hipodilski 2005-05-14 04:41:06 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050417 Fedora/1.7.7-1.3.1

Description of problem:
ICMP dest unrch (host comm denied) (84 bytes) from 10.10.10.13 to 10.10.10.1 on eth0. Running iptraf I see error messages like that periodically.
Our router has ip of 10.10.10.1. Removing the following rule from
/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited.
and restarting the iptables service fixes the problem.

Version-Release number of selected component (if applicable):
Linux davidian 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 athlon i386 GNU/Linux

How reproducible:
Always

Steps to Reproduce:
1. Default install
2. Running the default firewall
3.
  

Additional info:
Comment 1 Thomas Woerner 2005-05-17 04:40:44 EDT
The default firewall configuration is generated in anaconda.
Comment 2 Chris Lumens 2005-05-24 15:23:09 EDT
Yes, that is the default rule that will block anything not specifically allowed
by the previous rules.  What are you trying to do and what ports/protocols does
it use?  Most likely, you just need to add that information to the "other ports"
field in system-config-securitylevel to allow the service.
Comment 3 hipodilski 2005-05-25 03:31:47 EDT
I'm not trying to do anything. And i receive this error message from the router.
Every few seconds. Removing the rule i don't get the "ICMP dest unreachable"
message. And everything seems to be okay.
Comment 4 Matthew Miller 2006-07-10 17:30:29 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 5 Thomas Woerner 2007-05-22 07:41:21 EDT
Dropping the reject rule will open up the firewall for all traffic. Therefgore
this is no solution at all.
icmp-host-prohibited is a valid reject type and the router should honor this.
This is not a bug in the firewall configuration, it is a bug in the router
configuration - some kind of availability check.

Closing as "NOT A BUG".

Note You need to log in before you can comment on or make changes to this bug.