Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 157732 - A default firewall bug in rules of /etc/sysconfig/iptables
Summary: A default firewall bug in rules of /etc/sysconfig/iptables
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: system-config-securitylevel
Version: 3
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-05-14 08:41 UTC by hipodilski
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-05-22 11:41:21 UTC


Attachments (Terms of Use)

Description hipodilski 2005-05-14 08:41:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050417 Fedora/1.7.7-1.3.1

Description of problem:
ICMP dest unrch (host comm denied) (84 bytes) from 10.10.10.13 to 10.10.10.1 on eth0. Running iptraf I see error messages like that periodically.
Our router has ip of 10.10.10.1. Removing the following rule from
/etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited.
and restarting the iptables service fixes the problem.

Version-Release number of selected component (if applicable):
Linux davidian 2.6.9-1.667 #1 Tue Nov 2 14:41:25 EST 2004 i686 athlon i386 GNU/Linux

How reproducible:
Always

Steps to Reproduce:
1. Default install
2. Running the default firewall
3.
  

Additional info:

Comment 1 Thomas Woerner 2005-05-17 08:40:44 UTC
The default firewall configuration is generated in anaconda.

Comment 2 Chris Lumens 2005-05-24 19:23:09 UTC
Yes, that is the default rule that will block anything not specifically allowed
by the previous rules.  What are you trying to do and what ports/protocols does
it use?  Most likely, you just need to add that information to the "other ports"
field in system-config-securitylevel to allow the service.

Comment 3 hipodilski 2005-05-25 07:31:47 UTC
I'm not trying to do anything. And i receive this error message from the router.
Every few seconds. Removing the rule i don't get the "ICMP dest unreachable"
message. And everything seems to be okay.

Comment 4 Matthew Miller 2006-07-10 21:30:29 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 5 Thomas Woerner 2007-05-22 11:41:21 UTC
Dropping the reject rule will open up the firewall for all traffic. Therefgore
this is no solution at all.
icmp-host-prohibited is a valid reject type and the router should honor this.
This is not a bug in the firewall configuration, it is a bug in the router
configuration - some kind of availability check.

Closing as "NOT A BUG".


Note You need to log in before you can comment on or make changes to this bug.