Red Hat Bugzilla – Bug 157732
A default firewall bug in rules of /etc/sysconfig/iptables
Last modified: 2007-11-30 17:11:06 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050417 Fedora/1.7.7-1.3.1
Description of problem:
ICMP dest unrch (host comm denied) (84 bytes) from 10.10.10.13 to 10.10.10.1 on eth0. Running iptraf I see error messages like that periodically.
Our router has ip of 10.10.10.1. Removing the following rule from
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited.
and restarting the iptables service fixes the problem.
Version-Release number of selected component (if applicable):
Linux davidian 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 athlon i386 GNU/Linux
Steps to Reproduce:
1. Default install
2. Running the default firewall
The default firewall configuration is generated in anaconda.
Yes, that is the default rule that will block anything not specifically allowed
by the previous rules. What are you trying to do and what ports/protocols does
it use? Most likely, you just need to add that information to the "other ports"
field in system-config-securitylevel to allow the service.
I'm not trying to do anything. And i receive this error message from the router.
Every few seconds. Removing the rule i don't get the "ICMP dest unreachable"
message. And everything seems to be okay.
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
Dropping the reject rule will open up the firewall for all traffic. Therefgore
this is no solution at all.
icmp-host-prohibited is a valid reject type and the router should honor this.
This is not a bug in the firewall configuration, it is a bug in the router
configuration - some kind of availability check.
Closing as "NOT A BUG".