Cannot block incoming ICMP

memothejanitor

Ok guys I feel like an idiot, I have tried everything in my power, even read The Definitive Guide to pfSense, somehow I cannot block incoming ICMP.

Can anybody help? Thanks.

Click here to see in full size http://img1.uploadscreenshot.com/images/orig/4/10015041141-orig.jpg

jimp

How are you testing this?

You might be hitting the usual issue where a constant ping would still be allowed because it has an existing state. After you save the rule, reset the states and see if you can still ping.

memothejanitor

@jimp:

How are you testing this?

You might be hitting the usual issue where a constant ping would still be allowed because it has an existing state. After you save the rule, reset the states and see if you can still ping.

Ok, I reset the states, even rebooted pfSense, I can still ping WAN and WAN2 from the internet. to test I used just-ping.com

jimp

Do you have any rules on WAN/WAN2 that would be passing this traffic in? Though floating rules usually take precedence.

memothejanitor

No I don't, I am using the default settings, I am really confused as to why it's doing that. I know it's not related but Ntop service does not start either, I am wondering whether I am experiencing bugs or not.

jimp

Can you post the contents of /tmp/rules.debug ? It would help narrow it down.

ntop is a different issue, it doesn't work at all on 2.0.

memothejanitor

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em2 }"
WAN2 = "{ em1 }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#pfSnortSam tables
table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases

Gateways

GWWAN = " route-to ( em0 98.101.74.1 ) "
GWWAN2 = " route-to ( em1 71.68.80.1 ) "

set loginterface em2
set optimization normal
set limit states 198000
set limit src-nodes 198000

set skip on pfsync0

scrub in on $WAN all    fragment reassemble
scrub in on $LAN all    fragment reassemble
scrub in on $WAN2 all    fragment reassemble

nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

Subnets to NAT

tonatsubnets = "{ 192.168.10.0/27 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 98.101.74.241/32 port 500 
nat on $WAN  from $tonatsubnets to any -> 98.101.74.241/32 port 1024:65535

nat on $WAN2  from $tonatsubnets port 500 to any port 500 -> 71.68.80.137/32 port 500 
nat on $WAN2  from $tonatsubnets to any -> 71.68.80.137/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <direct_networks>{ 98.101.74.0/24 192.168.10.0/27 71.68.80.0/20 }

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/*"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"

We use the mighty pf, we cannot be fooled.

block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

Block all IPv6

block in quick inet6 all
block out quick inet6 all

pfSnortSam

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"
block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to any port 25000 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
antispoof for em0

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

allow our DHCP client out to the WAN

pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

Not installing DHCP server firewall rules for WAN which is configured for DHCP.

antispoof for em2

allow access to DHCP server on LAN

pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 192.168.10.1 port = 67 label "allow access to DHCP server"
pass out on $LAN proto udp from 192.168.10.1 port = 67 to any port = 68 label "allow access to DHCP server"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

block in log quick on $WAN2 from <bogons>to any label "block bogon networks from WAN2"
antispoof for em1

block anything from private networks on interfaces with the option set

antispoof for $WAN2
block in log quick on $WAN2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block in log quick on $WAN2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block in log quick on $WAN2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block in log quick on $WAN2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

allow our DHCP client out to the WAN2

pass in on $WAN2 proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN2"
pass out on $WAN2 proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN2"

Not installing DHCP server firewall rules for WAN2 which is configured for DHCP.

loopback

pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out all keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em0 98.101.74.1 ) from 98.101.74.241 to !98.101.74.0/24 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( em1 71.68.80.1 ) from 71.68.80.137 to !71.68.80.0/20 keep state allow-opts label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

pass in quick on em2 proto tcp from any to (em2) port { 25000 443  } keep state label "anti-lockout rule"

User-defined rules follow

block  in log  quick  on {  em0  em1  }  inet proto icmp  from any to any  label "USER_RULE: Block Incoming ICMP on WAN and WAN2"
pass  in log  quick  on $LAN  proto { tcp udp }  from  192.168.10.5  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
pass  in log  quick  on $LAN  $GWWAN2  proto { tcp udp }  from  192.168.10.5 to any keep state  label "USER_RULE: Vonage through WAN2"
pass  in  quick  on $LAN  from 192.168.10.0/27 to any keep state  label "USER_RULE: Default allow LAN to any rule"

VPN Rules

anchor "tftp-proxy/*"</vpns></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>

cmb

You're not passing ICMP with that ruleset. Your public IP isn't responding to ICMP either (pulled your IP from where you're accessing the forum, it matches the subnet of one of the gateways in your config so I presume that's it).

memothejanitor

@cmb:

You're not passing ICMP with that ruleset. Your public IP isn't responding to ICMP either (pulled your IP from where you're accessing the forum, it matches the subnet of one of the gateways in your config so I presume that's it).

OMG I am so sorry, I cannot believe that I have been pinging the gateways! Something so simple… wow never say never, Thanks.

Hahaha at least I memorized The Definitive Guide to pfSense