Cannot block incoming ICMP
-
Ok guys I feel like an idiot, I have tried everything in my power, even read The Definitive Guide to pfSense, somehow I cannot block incoming ICMP.
Can anybody help? Thanks.
Click here to see in full size http://img1.uploadscreenshot.com/images/orig/4/10015041141-orig.jpg
-
How are you testing this?
You might be hitting the usual issue where a constant ping would still be allowed because it has an existing state. After you save the rule, reset the states and see if you can still ping.
-
How are you testing this?
You might be hitting the usual issue where a constant ping would still be allowed because it has an existing state. After you save the rule, reset the states and see if you can still ping.
Ok, I reset the states, even rebooted pfSense, I can still ping WAN and WAN2 from the internet. to test I used just-ping.com
-
Do you have any rules on WAN/WAN2 that would be passing this traffic in? Though floating rules usually take precedence.
-
No I don't, I am using the default settings, I am really confused as to why it's doing that. I know it's not related but Ntop service does not start either, I am wondering whether I am experiencing bugs or not.
-
Can you post the contents of /tmp/rules.debug ? It would help narrow it down.
ntop is a different issue, it doesn't work at all on 2.0.
-
#System aliases
loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em2 }"
WAN2 = "{ em1 }"#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#pfSnortSam tables
table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User AliasesGateways
GWWAN = " route-to ( em0 98.101.74.1 ) "
GWWAN2 = " route-to ( em1 71.68.80.1 ) "set loginterface em2
set optimization normal
set limit states 198000
set limit src-nodes 198000set skip on pfsync0
scrub in on $WAN all fragment reassemble
scrub in on $LAN all fragment reassemble
scrub in on $WAN2 all fragment reassemblenat-anchor "natearly/"
nat-anchor "natrules/"Outbound NAT rules
Subnets to NAT
tonatsubnets = "{ 192.168.10.0/27 127.0.0.0/8 }"
nat on $WAN from $tonatsubnets port 500 to any port 500 -> 98.101.74.241/32 port 500
nat on $WAN from $tonatsubnets to any -> 98.101.74.241/32 port 1024:65535nat on $WAN2 from $tonatsubnets port 500 to any port 500 -> 71.68.80.137/32 port 500
nat on $WAN2 from $tonatsubnets to any -> 71.68.80.137/32 port 1024:65535Load balancing anchor
rdr-anchor "relayd/*"
TFTP proxy
rdr-anchor "tftp-proxy/*"
table <direct_networks>{ 98.101.74.0/24 192.168.10.0/27 71.68.80.0/20 }UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/*"
#–-------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0Block all IPv6
block in quick inet6 all
block out quick inet6 allpfSnortSam
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 25000 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"block bogon networks
http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for em0block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for em2
allow access to DHCP server on LAN
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.10.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.10.1 port = 67 to any port = 68 label "allow access to DHCP server"block bogon networks
http://www.cymru.com/Documents/bogon-bn-nonagg.txt
block in log quick on $WAN2 from <bogons>to any label "block bogon networks from WAN2"
antispoof for em1block anything from private networks on interfaces with the option set
antispoof for $WAN2
block in log quick on $WAN2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"allow our DHCP client out to the WAN2
pass in on $WAN2 proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN2"
pass out on $WAN2 proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN2"Not installing DHCP server firewall rules for WAN2 which is configured for DHCP.
loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 98.101.74.1 ) from 98.101.74.241 to !98.101.74.0/24 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em1 71.68.80.1 ) from 71.68.80.137 to !71.68.80.0/20 keep state allow-opts label "let out anything from firewall host itself"make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on em2 proto tcp from any to (em2) port { 25000 443 } keep state label "anti-lockout rule"
User-defined rules follow
block in log quick on { em0 em1 } inet proto icmp from any to any label "USER_RULE: Block Incoming ICMP on WAN and WAN2"
pass in log quick on $LAN proto { tcp udp } from 192.168.10.5 to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass in log quick on $LAN $GWWAN2 proto { tcp udp } from 192.168.10.5 to any keep state label "USER_RULE: Vonage through WAN2"
pass in quick on $LAN from 192.168.10.0/27 to any keep state label "USER_RULE: Default allow LAN to any rule"VPN Rules
anchor "tftp-proxy/*"</vpns></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>
-
You're not passing ICMP with that ruleset. Your public IP isn't responding to ICMP either (pulled your IP from where you're accessing the forum, it matches the subnet of one of the gateways in your config so I presume that's it).
-
@cmb:
You're not passing ICMP with that ruleset. Your public IP isn't responding to ICMP either (pulled your IP from where you're accessing the forum, it matches the subnet of one of the gateways in your config so I presume that's it).
OMG I am so sorry, I cannot believe that I have been pinging the gateways! Something so simple… wow never say never, Thanks.
Hahaha at least I memorized The Definitive Guide to pfSense