2.3.1 default icmp setting - using custom udp ports

  • I've searched and found that icmp is blocked incoming by default but cannot seem to find anything about outgoing using different ports.

    For example, we are using udp ports 40001-40004 on a server to get a sort of icmp response.

    The principal of sending a UDP packet to each hop and checking for ICMP "port unreachable" responses simply does not work at some locations, including the one we are testing from which has a brand new pfsense firewall installed.

    In other words, while this works in some cases, for some reason, we cannot get any response when trying from the LAN through this new firewall.

    Does pfsense block all icmp traffic unless configured to not?

  • PFSense blocks all ingress traffic by default. It is stateful, so if your protocol is following standard protocols, it should work, but if you have your own custom something going on, the statefulness will not be able to create states to allow your custom traffic.

  • LAYER 8 Global Moderator

    So your wanting your icmp response to a closed port, like a default linux traceroute.

    Pfsense wan is not going to answer you like that.  But you can create a rule to do that..  I like traceroute to work as well ;)  and I do it remotely to my pfsense, so I have pfsense reject on those ports used by traceroute via udp

    Notice to pfsense wan I have a reject, for ipv6 same but also allow those ports through to the ipv6 behind so that box itself can send the response.  In the attached sniff you will see where I was doing a traceroute to pfsense wan from the outside and it sends back the icmp response that your looking for.

  • Wait now, is everyone understanding that the request is outgoing? It is originating on the LAN side.
    So, you're saying that even so, the firewall will block the replies unless specifically allowed?

  • LAYER 8 Global Moderator

    Huh?  What rules do you have on your lan.. There is nothing special required to be done if the request is done via lan side client.

    so from a linux client on my lan I do a traceroute to outside IP, in this example..  As you see I am getting back the icmp messages saying that port is not open.  you can see the ttl expired and then the unreachables.

    Might be helpful if you post up your wan and lan rules and if anything in your floating, etc.

  • I don't have anything interesting to post really, it's a very basic setup. I've not enabled incoming ICMP for example but I figured so long as the requests are LAN initiated, they should work.

    That kind of testing certainly does work when using standard ping/traceroute/mtr tools for example, only using our custom ports doesn't ever return anything back to the LAN from a remote network IP.

  • LAYER 8 Global Moderator

    did you validate that your actually getting back the icmp unreachable message on your wan?

    So your lan rules are any any?  So your probing IPs you control on the public internet and you know they send back icmp redirects when hit on nonlistening/closed port?

    As I showed many firewalls will not do that.. Since then every single noise packet they get would generate a icmp answer..  That would be bad! ;)  You need to validate that your packet is getting to the server from the client, and then validate it is actually sending back an icmp redirect and pfsense is seeing it on its wan.  If it does then yes it should send that back into your client that created the traffic.  As you can see from my above traceroute test.

Log in to reply