Hi, After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. In addition, the machine cannot ping itself. ping localhost (or 127.0.0.1) -> no route to host ping itself with its own ip address -> no route to host The freebsd box, with an external pppoe connection, is configured as a gateway with nat. Interestingly, all machines on the lan can access the internet via the freebsd box normally even though the freebsd box cannot be ping'd from these machines. The routing table is fine. All these problems go away if I remove the option IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel. Thank you. e_chelon __________________________________ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com
That's how it is meant to work. Good to know it's working as intended. Cheers, Darren
On Mon, 29 Sep 2003 20:27:35 -0700 (PDT) echelon <e_chelon@yahoo.com> wrote:> Hi, > > After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd > with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. >> Thank you. > e_chelon >This is IPF's proper behavior You will need to add some rules to your ipf.rules file. try adding the rules, pass in quick on lo0 all pass out quick on lo0 all pass in log quick on (some nic) all pass out log quick on (some nic) all run /sbin/ipf -Fa -f /etc/ipf.rules when your done :) -- Talon -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030930/00f4a261/attachment.bin
You should enable ICMP protocol to your server from You are want - LAN or outside. ICMP protocol is used by ping utility. When You add IPFILTER_DEFAULT_BLOCK Your firewall stop all, that is not allowed, including ICMP packets and You can't ping server. ----- Original Message ----- From: "echelon" <e_chelon@yahoo.com> To: <freebsd-stable@freebsd.org>; <freebsd-security@freebsd.org> Sent: Tuesday, September 30, 2003 4:27 AM Subject: IPFILTER_DEFAULT_BLOCK & No route to host> Hi, > > After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf onFreeBSD 4.8 stable (cvsup'd> with tag RELENG_4_8), the machine cannot be ping'd by others on the samenetwork.> > In addition, the machine cannot ping itself. > > ping localhost (or 127.0.0.1) -> no route to host > ping itself with its own ip address -> no route to host > > The freebsd box, with an external pppoe connection, is configured as agateway with nat.> Interestingly, all machines on the lan can access the internet via thefreebsd box normally even> though the freebsd box cannot be ping'd from these machines. > > The routing table is fine. All these problems go away if I remove theoption> IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean beforebuildworld/kernel.> > > Thank you. > e_chelon > > > __________________________________ > Do you Yahoo!? > The New Yahoo! Shopping - with improved product search > http://shopping.yahoo.com > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to"freebsd-security-unsubscribe@freebsd.org">
On Mon, 29 Sep 2003 20:27:35 -0700 (PDT) echelon <e_chelon@yahoo.com> wrote:> Hi, > > After the option IPFILTER_DEFAULT_BLOCK is specified at kernel conf on FreeBSD 4.8 stable (cvsup'd > with tag RELENG_4_8), the machine cannot be ping'd by others on the same network. > > In addition, the machine cannot ping itself. > > ping localhost (or 127.0.0.1) -> no route to host > ping itself with its own ip address -> no route to host > > The freebsd box, with an external pppoe connection, is configured as a gateway with nat. > Interestingly, all machines on the lan can access the internet via the freebsd box normally even > though the freebsd box cannot be ping'd from these machines. > > The routing table is fine. All these problems go away if I remove the option > IPFILTER_DEFAULT_BLOCK from the kernel conf. I make clean before buildworld/kernel. >You need to create and load an ipfilter rule set. For a start create /etc/ipf.rules containing: pass in on lo0 all pass out on lo0 all pass in on xl0 all pass out on xl0 all # * xl0 should be changed to your ethernet interface type. Then in your /etc/rc.conf ipfilter_enable="YES" # Set to YES to enable ipfilter functionality ipfilter_program="/sbin/ipf" # where the ipfilter program lives ipfilter_rules="/etc/ipf.rules" # rules definition file for ipfilter. ipfilter_flags="-F a -f /etc/ipf.rules" # additional flags for ipfilter This should get you started, good luck. P.S. Cross posting is not usually a good idea, freebsd-questions is the right place for stuff like this. Cheers, Stephen Hilton nospam@hiltonbsd.com