Re: DNS problem with IPFilter

On 25 Jun, in article <m3mzc1xeh9.fsf@xxxxxxxxxxxxxxx>
joe@xxxxxxxxxxxxxxx wrote:

snews@xxxxxxxxxxxxxxxxxxxx (David Lord) writes:

On 24 Jun, in article <m3wtb6ueu1.fsf@xxxxxxxxxxxxxxx>
joe@xxxxxxxxxxxxxxx wrote:

I'm trying to setup a FreeBSD 6 machine as a firewall. Most things
work as expected, but for some reason I can't get pings from my
internal lan to work.

I'm pretty sure the rc.conf file is setup ok, because other stuff like
news and http work. Is there something else that I need to do to route
ping packets?

There is no reason it shouldn't work unless you're blocking
them and/or if your lan is private address space and you're
using ipnat.

If you use ipnat through to your lan the best you can get is
by keep state and ipnat will attempt to make a guess as to
which destination on lan an incoming ping is meant for.

This is all in the ipfilter howto.

Well, I am using a private address space, but ipnat seems to be
handling that ok with other things. I spent most of yesterday going
through the ipfilter howto, including copy/paste of the sample
firewall rules there, still everything works except ping.

Since you mentioned private address ranges though, I don't have the
firewall hooked up directly to my ISP yet. While I'm testing it I have
it going through a linksys router. This is the setup:


ubuntu -> firewall -> linksys -> cable modem

- ubuntu is on the 10.0.0.0 net, with firewall as its default
router.

- firewall (FreeBSD 6.1-RELEASE) is on 10.0.0.0 and 192.168.1.0 with
linksys as its default router.

- linksys is 192.168.1.1 and is a dhcp client through the cable modem
to my isp.


I didn't think this would be a problem, is it?

While I'm on the ubuntu box I can use the web, get news, etc except ping
through the firewall.

While I'm on the firewall I can do everything including ping.

That does look as if it is something in your firewall rules and to
be able to browse etc indicates routing and nat is working ok.


This is my /etc/ipf.rules section for ping:

pass out quick on rl0 proto icmp from any to any icmp-type 8 keep state

Can you track these using ipfstat? I have ipf started with
'l nomatch' switch so that all packets that fail to be matched
by a rule are also logged (that number should be close to 0
with a correct set of rules).

You should be able trace icmp packets through the firewall
and see returning packets.

David

--
The Reply-To: is valid for at least 30 days after posting date
David Lord - david@xxxxxxxxxxxx
.

Relevant Pages

  • Re: Cant ping Just One Address
    ... access alle computers on LAN and Internet proper. ... But from the LAN i can NOT ... PING my notebook and also i can not access the shares of my ... > Blocked pings generally have one cause - a misconfigured or overlooked firewall ...
    (microsoft.public.windowsxp.network_web)
  • cant ping LAN machine, NET pings fine
    ... via DHCP and eth1 which serves ip's for the lan and has ip 192.168.0.1. ... Currently there is only 1 other pc besides the firewall ... ping from firewall to net ...
    (Debian-User)
  • Re: Cannot ping LAN workstation
    ... I turned off the ICF on both computers but I cannot ping from computer A to ... I tried to reset the ICF but no success. ... Can I monitor the LAN card to check the problem. ... I have Symantec antivirus without a firewall. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networking problem
    ... I am running a firewall that accepts specific connection on ... for one machine I made a general rule to accept all connections: ... I still am unable to ping that machine and it is unable to ping me. ... I can ping the router and another machine I have on the LAN. ...
    (Fedora)
  • Re: AD, DHCP or maybe DNS problem?
    ... if I use the firewall it doens't work. ... I already setup several RRAS servers and they work fine, ... but can't use the internet on) below are my pings ... Ping statistics for 127.0.0.1: ...
    (microsoft.public.windows.server.active_directory)