On Thu, 2004-11-25 at 16:09 -0800, Shawn Wright wrote:> Sorry for the frantic nature of this message, but we need to allow pings on > our firewall so our ISP can test things. I''ve done this, and it still doesn''t > work: (I am now at v.2.0.10) > > rules: > AllowPing net fw > AllowPing sls fw > > show indicates some matches, so where are they? > > Chain AllowPing (4 references) > pkts bytes target prot opt in out source destination > 1144 70108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > icmp type 8 > > Clearly I am missing something here - I read the docs on AllowPing and it > seems simple. What else do I need to check to find where these packets > are going?In these cases, the more important question is "Were are the replies going?" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Sorry for the frantic nature of this message, but we need to allow pings on our firewall so our ISP can test things. I''ve done this, and it still doesn''t work: (I am now at v.2.0.10) rules: AllowPing net fw AllowPing sls fw show indicates some matches, so where are they? Chain AllowPing (4 references) pkts bytes target prot opt in out source destination 1144 70108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 Clearly I am missing something here - I read the docs on AllowPing and it seems simple. What else do I need to check to find where these packets are going? Thanks. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
On 25 Nov 2004 at 16:05, Tom Eastep wrote:> On Thu, 2004-11-25 at 16:09 -0800, Shawn Wright wrote: > > Sorry for the frantic nature of this message, but we need to allow pings on > > our firewall so our ISP can test things. I''ve done this, and it still doesn''t > > work: (I am now at v.2.0.10) > > > > rules: > > AllowPing net fw > > AllowPing sls fw > > > > show indicates some matches, so where are they? > > > > Chain AllowPing (4 references) > > pkts bytes target prot opt in out source destination > > 1144 70108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > > icmp type 8 > > > > Clearly I am missing something here - I read the docs on AllowPing and it > > seems simple. What else do I need to check to find where these packets > > are going? > > In these cases, the more important question is "Were are the replies > going?"They *should* be getting back... I can ping from the fw to other hosts, below is the route table. But I can''t ping from a local host to the fw. I''ve even tried this in my rules (sls is the local zone): ACCEPT sls fw ACCEPT fw sls Then I tried this in my policy sls fw ACCEPT fw sls ACCEPT Pings from fw to sls work just fine: [root@fw shorewall]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 139.142.65.144 0.0.0.0 255.255.255.248 U 0 0 0 eth1 139.142.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 139.142.65.145 0.0.0.0 UG 0 0 0 eth1 [root@fw shorewall]# ping 139.142.66.4 PING 139.142.66.4 (139.142.66.4) 56(84) bytes of data. 64 bytes from 139.142.66.4: icmp_seq=1 ttl=128 time=0.909 ms 64 bytes from 139.142.66.4: icmp_seq=2 ttl=128 time=0.343 ms -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Shawn Wright, I.T. Manager Shawnigan Lake School http://www.sls.bc.ca swright@sls.bc.ca
On Thu, 2004-11-25 at 16:22 -0800, Shawn Wright wrote:> On 25 Nov 2004 at 16:05, Tom Eastep wrote: > > > On Thu, 2004-11-25 at 16:09 -0800, Shawn Wright wrote: > > > Sorry for the frantic nature of this message, but we need to allow pings on > > > our firewall so our ISP can test things. I''ve done this, and it still doesn''t > > > work: (I am now at v.2.0.10) > > > > > > rules: > > > AllowPing net fw > > > AllowPing sls fw > > > > > > show indicates some matches, so where are they? > > > > > > Chain AllowPing (4 references) > > > pkts bytes target prot opt in out source destination > > > 1144 70108 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > > > icmp type 8 > > > > > > Clearly I am missing something here - I read the docs on AllowPing and it > > > seems simple. What else do I need to check to find where these packets > > > are going? > > > > In these cases, the more important question is "Were are the replies > > going?" > > They *should* be getting back... I can ping from the fw to other hosts, > below is the route table. But I can''t ping from a local host to the fw. I''ve > even tried this in my rules (sls is the local zone): > > ACCEPT sls fw > ACCEPT fw sls > > Then I tried this in my policy > sls fw ACCEPT > fw sls ACCEPT > > Pings from fw to sls work just fine: > > [root@fw shorewall]# route -n > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref Use Iface > 139.142.65.144 0.0.0.0 255.255.255.248 U 0 0 0 eth1 > 139.142.66.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 > 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo > 0.0.0.0 139.142.65.145 0.0.0.0 UG 0 0 0 eth1 > [root@fw shorewall]# ping 139.142.66.4 > PING 139.142.66.4 (139.142.66.4) 56(84) bytes of data. > 64 bytes from 139.142.66.4: icmp_seq=1 ttl=128 time=0.909 ms > 64 bytes from 139.142.66.4: icmp_seq=2 ttl=128 time=0.343 msNow you know why I always ask for the entire output of "shorewall status" -- but you, like everyone else on this list ignore what I ask... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On 25 Nov 2004 at 17:15, Tom Eastep wrote:> On Thu, 2004-11-25 at 17:11 -0800, Shawn Wright wrote: > > On 25 Nov 2004 at 17:03, Tom Eastep wrote: > > > > > On Thu, 2004-11-25 at 16:52 -0800, Shawn Wright wrote: > > > > > > > > > > > > > Now you know why I always ask for the entire output of "shorewall > > > > > status" -- but you, like everyone else on this list ignore what I ask... > > > > > > > > Sorry, Tom. Here it is, zipped. I can send plain also, but it is > > > > 125K, and I don''t know what the limit is for this list. > > > > > > And with this configuration, pings from the ''sls'' zone to the firewall > > > are not replied? > > > > Nope. I can ping anything on sls from the fw, but not from fw to sls. > > I have also tried to allow ping from net 2 fw, with no luck. I have another > > machine with a different ISP connection running, and could not ping from > > there to the fw net interface. > > What output does this script produce? > > for file in /proc/sys/net/ipv4/icmp_echo_ignore*; do > echo $file=$(cat $file) > done/proc/sys/net/ipv4/icmp_echo_ignore_all=1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts=1 I changed it to /proc/sys/net/ipv4/icmp_echo_ignore_all=0 and ping now works! Thanks! I suppose this must have come from the Mandrake 9.2 security ''features'', since I certainly didn''t change it. I''ve copied this to the list in case this issue comes up for someone else. Thanks again. Shawn Wright, I.T. Manager Shawnigan Lake School swright@sls.bc.ca
On Thu, 2004-11-25 at 17:23 -0800, Shawn Wright wrote: q> > > > What output does this script produce? > > > > for file in /proc/sys/net/ipv4/icmp_echo_ignore*; do > > echo $file=$(cat $file) > > done > > /proc/sys/net/ipv4/icmp_echo_ignore_all=1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts=1 > > I changed it to > /proc/sys/net/ipv4/icmp_echo_ignore_all=0 > and ping now works! Thanks! I suppose this must have come from the > Mandrake 9.2 security ''features'', since I certainly didn''t change it. I''ve > copied this to the list in case this issue comes up for someone else.Be sure that you modify the underlying Mandrake config file or the problem will come back the next time that you reboot. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-11-25 at 17:23 -0800, Shawn Wright wrote:> On 25 Nov 2004 at 17:15, Tom Eastep wrote: > I''ve copied this to the list in case this issue comes up for someone > else.And the next 2.2.0 Beta will include ''icmp_echo_ignore_all'' in the /proc display. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key