Cannot block incoming ICMP



  • Ok guys I feel like an idiot, I have tried everything in my power, even read The Definitive Guide to pfSense, somehow I cannot block incoming ICMP.

    Can anybody help? Thanks.

    Click here to see in full size http://img1.uploadscreenshot.com/images/orig/4/10015041141-orig.jpg


  • Rebel Alliance Developer Netgate

    How are you testing this?

    You might be hitting the usual issue where a constant ping would still be allowed because it has an existing state. After you save the rule, reset the states and see if you can still ping.



  • @jimp:

    How are you testing this?

    You might be hitting the usual issue where a constant ping would still be allowed because it has an existing state. After you save the rule, reset the states and see if you can still ping.

    Ok, I reset the states, even rebooted pfSense, I can still ping WAN and WAN2 from the internet. to test I used just-ping.com


  • Rebel Alliance Developer Netgate

    Do you have any rules on WAN/WAN2 that would be passing this traffic in? Though floating rules usually take precedence.



  • No I don't, I am using the default settings, I am really confused as to why it's doing that. I know it's not related but Ntop service does not start either, I am wondering whether I am experiencing bugs or not.


  • Rebel Alliance Developer Netgate

    Can you post the contents of /tmp/rules.debug ? It would help narrow it down.

    ntop is a different issue, it doesn't work at all on 2.0.



  • #System aliases

    loopback = "{ lo0 }"
    WAN = "{ em0 }"
    LAN = "{ em2 }"
    WAN2 = "{ em1 }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #pfSnortSam tables
    table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases

    Gateways

    GWWAN = " route-to ( em0 98.101.74.1 ) "
    GWWAN2 = " route-to ( em1 71.68.80.1 ) "

    set loginterface em2
    set optimization normal
    set limit states 198000
    set limit src-nodes 198000

    set skip on pfsync0

    scrub in on $WAN all    fragment reassemble
    scrub in on $LAN all    fragment reassemble
    scrub in on $WAN2 all    fragment reassemble

    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    Subnets to NAT

    tonatsubnets = "{ 192.168.10.0/27 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 98.101.74.241/32 port 500 
    nat on $WAN  from $tonatsubnets to any -> 98.101.74.241/32 port 1024:65535

    nat on $WAN2  from $tonatsubnets port 500 to any port 500 -> 71.68.80.137/32 port 500 
    nat on $WAN2  from $tonatsubnets to any -> 71.68.80.137/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <direct_networks>{ 98.101.74.0/24 192.168.10.0/27 71.68.80.0/20 }

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    We use the mighty pf, we cannot be fooled.

    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    Block all IPv6

    block in quick inet6 all
    block out quick inet6 all

    pfSnortSam

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
    block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port 25000 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for em0

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

    allow our DHCP client out to the WAN

    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"

    Not installing DHCP server firewall rules for WAN which is configured for DHCP.

    antispoof for em2

    allow access to DHCP server on LAN

    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.10.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.10.1 port = 67 to any port = 68 label "allow access to DHCP server"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    block in log quick on $WAN2 from <bogons>to any label "block bogon networks from WAN2"
    antispoof for em1

    block anything from private networks on interfaces with the option set

    antispoof for $WAN2
    block in log quick on $WAN2 from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN2 from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN2 from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN2 from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"

    allow our DHCP client out to the WAN2

    pass in on $WAN2 proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN2"
    pass out on $WAN2 proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN2"

    Not installing DHCP server firewall rules for WAN2 which is configured for DHCP.

    loopback

    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 98.101.74.1 ) from 98.101.74.241 to !98.101.74.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em1 71.68.80.1 ) from 71.68.80.137 to !71.68.80.0/20 keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on em2 proto tcp from any to (em2) port { 25000 443  } keep state label "anti-lockout rule"

    User-defined rules follow

    block  in log  quick  on {  em0  em1  }  inet proto icmp  from any to any  label "USER_RULE: Block Incoming ICMP on WAN and WAN2"
    pass  in log  quick  on $LAN  proto { tcp udp }  from  192.168.10.5  to <vpns>keep state  label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass  in log  quick  on $LAN  $GWWAN2  proto { tcp udp }  from  192.168.10.5 to any keep state  label "USER_RULE: Vonage through WAN2"
    pass  in  quick  on $LAN  from 192.168.10.0/27 to any keep state  label "USER_RULE: Default allow LAN to any rule"

    VPN Rules

    anchor "tftp-proxy/*"</vpns></bogons></bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></direct_networks></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout>



  • You're not passing ICMP with that ruleset. Your public IP isn't responding to ICMP either (pulled your IP from where you're accessing the forum, it matches the subnet of one of the gateways in your config so I presume that's it).



  • @cmb:

    You're not passing ICMP with that ruleset. Your public IP isn't responding to ICMP either (pulled your IP from where you're accessing the forum, it matches the subnet of one of the gateways in your config so I presume that's it).

    OMG I am so sorry, I cannot believe that I have been pinging the gateways! Something so simple… wow never say never, Thanks.

    Hahaha at least I memorized The Definitive Guide to pfSense


Log in to reply