ICMP traffic allowed over IPsec by default?
Hello netgate forum. I've just noticed something on a netgate firewall running 2.4.4-RELEASE-p3 (amd64). It seems that even without any IPSec inbound allow firewalls rules configured, ICMP is still permitted from the remote subnet. TCP/UDP connections don't seem to behave this way.
Is this a known nuance of the pfsense firewall? Anyway to change the behavior to deny icmp traffic over IPSec VPN if you want to? I attempted to create a deny rule manually, but it gets ignored. I also tried disabling auto firewall rules for IPSec VPNs. ICMP traffic still ignores the firewall.
Nothing is allowed by default, but if you don't see a rule on the tab to allow it there are a couple ways it could still happen:
- A rule on the Floating tab that is passing it
- An existing state that matches which is passing it
The latter is likely, especially if you are testing from LAN clients on each end A-B and then B-A. If the ping is allowed from A to B then as long as the state is in the table, B can also ping A. The state will stay in the table for 30s after the last ping is seen by the firewall. That could be more/less depending on your settings.
@jimp Hi, thanks for your reply. It definitely isn't a "Floating" firewall rule, but your second point is an interesting one.
Both sides of the VPN have a standard allow everything inbound to the "LAN" zone. I guess I assumed that if there was a deny EVERYTHING inbound to the "IPSEC" zone at either side, it would prevent ping from working from the remote?
AL - A side LAN
AI - A side IPsec
BL - B side LAN
BI - B side IPsec
I assumed the firewall would process traffic like this?
AL>BI> In other words there would have to be an allow rule on the A LAN zone and an allow rule on the B IPsec zone for traffic initiated from the A LAN?
Rules are always processed inbound (except floating rules). So a lack of rules on the IPsec tab would block by default as traffic reached that interface inbound. If neither side had rules on the IPsec tab, you shouldn't be able to ping either direction. If you can, that would make me question if the traffic was really going through IPsec, or if something else is amiss.
@jimp Ya, so there is the source of my confusion. Even if I create a rule and "deny all" on the IPSec zone, ICMP happily continues to flow. However TCP and UDP traffic can be manipulated as you would expect when creating allow or deny rules on the IPsec zone. I am confident the traffic is traversing the VPN tunnel.
What is in Diagnostics > States matching ICMP before you start a new ping attempt? Have you tried killing/resetting states between tests?
There is nothing special about ICMP vs TCP or UDP in the rules. They are all treated equally when it comes to evaluating the ruleset.
You may also need to look at the detailed output from
pfctl -vvssfor the ICMP states matching your ping and compare them with the related info in
pfctl -vvsrto see which rule(s) allowed the state to be created.