Bug 157732 - A default firewall bug in rules of /etc/sysconfig/iptables
Summary: A default firewall bug in rules of /etc/sysconfig/iptables
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel   
(Show other bugs)
Version: 3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-05-14 08:41 UTC by hipodilski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-22 11:41:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description hipodilski 2005-05-14 08:41:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050417 Fedora/1.7.7-1.3.1

Description of problem:
ICMP dest unrch (host comm denied) (84 bytes) from to on eth0. Running iptraf I see error messages like that periodically.
Our router has ip of Removing the following rule from
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited.
and restarting the iptables service fixes the problem.

Version-Release number of selected component (if applicable):
Linux davidian 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 athlon i386 GNU/Linux

How reproducible:

Steps to Reproduce:
1. Default install
2. Running the default firewall

Additional info:

Comment 1 Thomas Woerner 2005-05-17 08:40:44 UTC
The default firewall configuration is generated in anaconda.

Comment 2 Chris Lumens 2005-05-24 19:23:09 UTC
Yes, that is the default rule that will block anything not specifically allowed
by the previous rules.  What are you trying to do and what ports/protocols does
it use?  Most likely, you just need to add that information to the "other ports"
field in system-config-securitylevel to allow the service.

Comment 3 hipodilski 2005-05-25 07:31:47 UTC
I'm not trying to do anything. And i receive this error message from the router.
Every few seconds. Removing the rule i don't get the "ICMP dest unreachable"
message. And everything seems to be okay.

Comment 4 Matthew Miller 2006-07-10 21:30:29 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Comment 5 Thomas Woerner 2007-05-22 11:41:21 UTC
Dropping the reject rule will open up the firewall for all traffic. Therefgore
this is no solution at all.
icmp-host-prohibited is a valid reject type and the router should honor this.
This is not a bug in the firewall configuration, it is a bug in the router
configuration - some kind of availability check.

Closing as "NOT A BUG".

Note You need to log in before you can comment on or make changes to this bug.