Blocking ICMP (ping) from my DMZ.

nafeasonto · Dec 18, 2017, 7:36 AM

So I don't understand why this isn't wrking, but I go into the RULES for the DMZ. Like DMZ from the srouce of any to LAN NET, no ICMP.
Then IN the LAN, I block ICMP from source of DMZ net to LAN NET.

But ping is still getting through, why?

here is screenie.

https://imgur.com/a/EXUA4

GruensFroeschli · Dec 18, 2017, 8:31 AM

Did you keep the ping running while changing rules?
Have you tried to stop the ping and then start it again?

States created before you change the rules will not automatically be killed.
You can manually trigger a kill of all states under:
Diagnostic –> States -->"Reset States"

johnpoz · Dec 18, 2017, 1:31 PM

Your source net dmz net rule on lan is pointless.

Your rules below that any any rule on dmz are pointless.

As GruensFroeschli correctly stated, if you had a state that allowed ping when you created that block rule.. You would have to kill any active states to lan to allow the rule to be used. Since active states are looked at before rules are evaluated. You do not need to kill/reset all states.. You can look under your state table for the specific state(s) you want to kill and just kill those.