|Summary:||A default firewall bug in rules of /etc/sysconfig/iptables|
|Product:||[Fedora] Fedora||Reporter:||hipodilski <hipo>|
|Component:||system-config-securitylevel||Assignee:||Thomas Woerner <twoerner>|
|Status:||CLOSED NOTABUG||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2007-05-22 11:41:21 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description hipodilski 2005-05-14 08:41:06 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050417 Fedora/1.7.7-1.3.1 Description of problem: ICMP dest unrch (host comm denied) (84 bytes) from 10.10.10.13 to 10.10.10.1 on eth0. Running iptraf I see error messages like that periodically. Our router has ip of 10.10.10.1. Removing the following rule from /etc/sysconfig/iptables -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited. and restarting the iptables service fixes the problem. Version-Release number of selected component (if applicable): Linux davidian 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 athlon i386 GNU/Linux How reproducible: Always Steps to Reproduce: 1. Default install 2. Running the default firewall 3. Additional info:
Comment 1 Thomas Woerner 2005-05-17 08:40:44 UTC
The default firewall configuration is generated in anaconda.
Comment 2 Chris Lumens 2005-05-24 19:23:09 UTC
Yes, that is the default rule that will block anything not specifically allowed by the previous rules. What are you trying to do and what ports/protocols does it use? Most likely, you just need to add that information to the "other ports" field in system-config-securitylevel to allow the service.
Comment 3 hipodilski 2005-05-25 07:31:47 UTC
I'm not trying to do anything. And i receive this error message from the router. Every few seconds. Removing the rule i don't get the "ICMP dest unreachable" message. And everything seems to be okay.
Comment 4 Matthew Miller 2006-07-10 21:30:29 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!
Comment 5 Thomas Woerner 2007-05-22 11:41:21 UTC
Dropping the reject rule will open up the firewall for all traffic. Therefgore this is no solution at all. icmp-host-prohibited is a valid reject type and the router should honor this. This is not a bug in the firewall configuration, it is a bug in the router configuration - some kind of availability check. Closing as "NOT A BUG".