New installation strange behavior - I can access web interface. however, I can't ping to the device
-
Hi,
Thanks for the update.
I have to add second rule to get the ping working as the first rule preventing lan IP sending ICMP packets.
Hope this help to someone.
-
Again, that's what I wrote. Anti-Lockout is "globally" using any to give you any chance to still reach the box and not bugging out on you if you do some crazy things(TM). The default any-any allow rule after a new installation/firmware reset only covers the "LAN_net" e.g. the same network configured on the LAN side of pfSense. Your client not in there? You got no ping! :)
-
Thanks. :)
-
Dear JeGr,
In normal behavior rule disabling and enabling is instant affect on firewalls. Once I disable the above rule the firewall need a full power cycle to affect the rule. Is there any easy way of doing this may be restart services ???
Thanks in advanced
-
@popeel-SSH said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
Once I disable the above rule the firewall need a full power cycle to affect the rule. Is there any easy way of doing this may be restart services ???
Which rule do you refer to? All normal pf-based firewall rules don't require a powercycle. In fact the only time I need to restart is an update?
-
@JeGr said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
All normal pf-based firewall rules don't require a powercycle. In fact the only time I need to restart is an update?
Second rule on the picture ICMP any rule. Once I enable it I can ping and then I disable it . still I can ping to the firewall. However, with one reboot will stop ping that means the rule affected after reboot. Tried few different times.
-
you clearly do not need to reboot, your rules just need to be reloaded, which what happens when you click apply
My guess is since your using an alias, which only get updated every 5 minutes you would have to wait for the alias to get populated.
You can also see that rule has been triggered by the counter next to the rule
Other thing to keep in mind when adding/changing rules - is possible states that already exist, you would have to wait for the states to timeout, closed or kill them.
-
Unfortunately, mine isn't behave like that. I left for hours and still I can ping. Only solutions are either use States and reset or reboot.
-
Further for your info, It's not the alias causing this as I have already tried with one host IP and the behavior still the same.
-
When you click apply monitor the reload.. You sure your rules are actually being reloaded?
Look at you full rule set after you apply
https://docs.netgate.com/pfsense/en/latest/firewall/viewing-the-full-pf-ruleset.html -
@johnpoz said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
You sure your rules are actually being reloaded?
Look at you full rule set after you applyIt has reloaded fine without any issues and output to pfctl -vvsr doesn't show the rule as I have already disable it.
Still I can ping to the firewall. What I have find was still there is a connection in States table for my ip to the firewall ip icmp connection.
Looks like pfsense doesn't remove existing connections with the firewall rule disabling. However, it does work when I enable rule to get the traffic pass through like I said before ping keep the connection until next reboot or reset states table.
I have tried this with 3 different hardware.
-
@popeel-SSH said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
still there is a connection in States table for my ip to the firewall ip icmp connection.
Yeah - if you have an existing rule that allowed the ping - state created... Then new rule that blocks, if the state is still there you have to remove that state!
States are looked at before rules - this is how a stateful firewall works!
here created a block rule for ping - pinging away... See the state.. Then delete the state and bam no more pings
now deleted the rule and bam pings start working again
auto flushing of states on rule changes/additions/deletions could be a BAD thing.. And cause all kinds of issues depending on the rules in place, etc.. You could kill the connections on things you did not mean to stop... So the person admin the firewall should understand this... And if some change to rules is made that might have states that allow - just be like surgeon and kill only the specific states. Or sure you could use a HAMMER and reset ALL of them... But this could really piss off a lot of users, etc.
-
@johnpoz said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
And if some change to rules is made that might have states that allow - just be like surgeon and kill only the specific states. Or sure you could use a HAMMER and reset ALL of them... But this could really piss off a lot of users, etc.
This is what I understand of this pfsense firewall. However, I have used CISCO and Juniper before and the behaviour is diferent. They flush the connections (only related connections) as soon I disable the rule.
Pfsense do not do that as we might need to find the rule and delete that.
I am still learning this firewall and Thanks for your help and much appriciated.
-
@popeel-SSH said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
Pfsense do not do that as we might need to find the rule and delete that.
Nope, just think about stateful rules work. It doesn't block at once if you add a block rule and have a working connection state established. BUT if that state expires/gets closed it blocks any new attempt. But you can also see that it works the other way round:
- add a block ICMP rule for your internal IP only so you cannot ping pfSense' LAN interface
- save and apply ruleset
- start a ping on your desktop
- disable the block rule
- hit apply
- wait a moment ... ha! pings start!
- now enable the block again
- hit apply
- -> ping continues, as the "state" for icmp allows that ping to continue. Open up another window and run a ping there - oops, no ping! but the other still continues!
- close second window
- cancel the continuous ping in window 1
- ping again - oh no ping! (as the state has "expired" or more specific, the "new" ping can't create a state anymore as it is blocked now)
So with it going from "no ping" to "ping" that's your case: it was reloaded and activated immediatly. Other way round it was also active but you could only see that in the second window, as the first one had an active unexpired state. :)
-
@JeGr said in New installation strange behavior - I can access web interface. however, I can't ping to the device:
no ping" to "ping" that's your case:
Thanks and it does explain everything .... You are a star.
