bsd packet filter on Solaris, why ping not allowed?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have two interfaces one is net0 with 192.168.0.30 ip
the other is vnic0 with 10.2.0.1 ip
This is my pf.conf,solaris is 11.4
ext_if="net0"
int_if="vnic0"
localnet="192.168.0.0/24"
internalnet="10.2.0.0/24"
int_tcp_services = "www, https"
int_udp_services = "domain"
set skip on lo
set loginterface $ext_if
block return in log all
block out all
antispoof quick for $ext_if
# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>
#enable icmp for localnet
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from $internalnet to any keep state
pass inet proto icmp from any to $ext_if keep state
pass inet proto icmp from any to $int_if keep state
# SSH is listening on port 22
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# bind is listening on port 53
pass in quick proto tcp to $int_if port 53 keep state
pass in quick proto udp to $int_if port 53 keep state
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
Ping is accepted for all interfaces with firewall disabled
Ping is accepted for net0 only with firewall enabled.
Any solution?
solaris pf
asked Mar 16 at 22:19
elbarna
3,79393477
add a comment |Â
up vote
0
down vote
favorite
I have two interfaces one is net0 with 192.168.0.30 ip
the other is vnic0 with 10.2.0.1 ip
This is my pf.conf,solaris is 11.4
ext_if="net0"
int_if="vnic0"
localnet="192.168.0.0/24"
internalnet="10.2.0.0/24"
int_tcp_services = "www, https"
int_udp_services = "domain"
set skip on lo
set loginterface $ext_if
block return in log all
block out all
antispoof quick for $ext_if
# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>
#enable icmp for localnet
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from $internalnet to any keep state
pass inet proto icmp from any to $ext_if keep state
pass inet proto icmp from any to $int_if keep state
# SSH is listening on port 22
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# bind is listening on port 53
pass in quick proto tcp to $int_if port 53 keep state
pass in quick proto udp to $int_if port 53 keep state
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
Ping is accepted for all interfaces with firewall disabled
Ping is accepted for net0 only with firewall enabled.
Any solution?
solaris pf
asked Mar 16 at 22:19
elbarna
3,79393477
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have two interfaces one is net0 with 192.168.0.30 ip
the other is vnic0 with 10.2.0.1 ip
This is my pf.conf,solaris is 11.4
ext_if="net0"
int_if="vnic0"
localnet="192.168.0.0/24"
internalnet="10.2.0.0/24"
int_tcp_services = "www, https"
int_udp_services = "domain"
set skip on lo
set loginterface $ext_if
block return in log all
block out all
antispoof quick for $ext_if
# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>
#enable icmp for localnet
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from $internalnet to any keep state
pass inet proto icmp from any to $ext_if keep state
pass inet proto icmp from any to $int_if keep state
# SSH is listening on port 22
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# bind is listening on port 53
pass in quick proto tcp to $int_if port 53 keep state
pass in quick proto udp to $int_if port 53 keep state
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
Ping is accepted for all interfaces with firewall disabled
Ping is accepted for net0 only with firewall enabled.
Any solution?
solaris pf
asked Mar 16 at 22:19
elbarna
3,79393477
I have two interfaces one is net0 with 192.168.0.30 ip
the other is vnic0 with 10.2.0.1 ip
This is my pf.conf,solaris is 11.4
ext_if="net0"
int_if="vnic0"
localnet="192.168.0.0/24"
internalnet="10.2.0.0/24"
int_tcp_services = "www, https"
int_udp_services = "domain"
set skip on lo
set loginterface $ext_if
block return in log all
block out all
antispoof quick for $ext_if
# Block 'rapid-fire brute force attempts
table <bruteforce> persist
block quick from <bruteforce>
#enable icmp for localnet
pass inet proto icmp from $localnet to any keep state
pass inet proto icmp from $internalnet to any keep state
pass inet proto icmp from any to $ext_if keep state
pass inet proto icmp from any to $int_if keep state
# SSH is listening on port 22
pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
# bind is listening on port 53
pass in quick proto tcp to $int_if port 53 keep state
pass in quick proto udp to $int_if port 53 keep state
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
Ping is accepted for all interfaces with firewall disabled
Ping is accepted for net0 only with firewall enabled.
Any solution?
solaris pf
asked Mar 16 at 22:19
elbarna
3,79393477
asked Mar 16 at 22:19
elbarna
3,79393477
asked Mar 16 at 22:19
elbarna
3,79393477
asked Mar 16 at 22:19
elbarna
3,79393477
3,79393477
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
I think there is a typo in a ruleset you want to do s/set skip on lo/set skip on lo0. This should fix firewall misbehavior for local pings. Note that all local traffic is bound to lo0, altough you might be probing addresses bound
to NICs. The antispoof kicks in for such pings.
answered Mar 19 at 13:41
SashaN
1113
add a comment |Â
up vote
0
down vote
accepted
Solution found,using this basic,but working .conf
copied from here and edited
# Vars
ext_if="net0"
int_if="vnic0"
webports="443, 80"
## make IP reassembly work
set reassemble yes no-df
## ignore loopback traffic
set skip on lo0
# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all
# accept incoming SSH connections
pass in proto tcp to $ext_if port 22
# accept webeservers connections
pass in proto tcp to $ext_if port $webports
# accept icmp
pass in proto icmp all
## allow incoming messages from DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546
## packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2
## router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134
## neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135
## neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136
## allow all connections initiated from this system,
## including DHCP requests
pass out
answered Mar 16 at 22:28
elbarna
3,79393477
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
I think there is a typo in a ruleset you want to do s/set skip on lo/set skip on lo0. This should fix firewall misbehavior for local pings. Note that all local traffic is bound to lo0, altough you might be probing addresses bound
to NICs. The antispoof kicks in for such pings.
answered Mar 19 at 13:41
SashaN
1113
add a comment |Â
up vote
1
down vote
I think there is a typo in a ruleset you want to do s/set skip on lo/set skip on lo0. This should fix firewall misbehavior for local pings. Note that all local traffic is bound to lo0, altough you might be probing addresses bound
to NICs. The antispoof kicks in for such pings.
answered Mar 19 at 13:41
SashaN
1113
add a comment |Â
up vote
1
down vote
up vote
1
down vote
I think there is a typo in a ruleset you want to do s/set skip on lo/set skip on lo0. This should fix firewall misbehavior for local pings. Note that all local traffic is bound to lo0, altough you might be probing addresses bound
to NICs. The antispoof kicks in for such pings.
answered Mar 19 at 13:41
SashaN
1113
I think there is a typo in a ruleset you want to do s/set skip on lo/set skip on lo0. This should fix firewall misbehavior for local pings. Note that all local traffic is bound to lo0, altough you might be probing addresses bound
to NICs. The antispoof kicks in for such pings.
answered Mar 19 at 13:41
SashaN
1113
answered Mar 19 at 13:41
SashaN
1113
answered Mar 19 at 13:41
SashaN
1113
answered Mar 19 at 13:41
SashaN
1113
1113
add a comment |Â
add a comment |Â
up vote
0
down vote
accepted
Solution found,using this basic,but working .conf
copied from here and edited
# Vars
ext_if="net0"
int_if="vnic0"
webports="443, 80"
## make IP reassembly work
set reassemble yes no-df
## ignore loopback traffic
set skip on lo0
# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all
# accept incoming SSH connections
pass in proto tcp to $ext_if port 22
# accept webeservers connections
pass in proto tcp to $ext_if port $webports
# accept icmp
pass in proto icmp all
## allow incoming messages from DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546
## packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2
## router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134
## neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135
## neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136
## allow all connections initiated from this system,
## including DHCP requests
pass out
answered Mar 16 at 22:28
elbarna
3,79393477
add a comment |Â
up vote
0
down vote
accepted
Solution found,using this basic,but working .conf
copied from here and edited
# Vars
ext_if="net0"
int_if="vnic0"
webports="443, 80"
## make IP reassembly work
set reassemble yes no-df
## ignore loopback traffic
set skip on lo0
# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all
# accept incoming SSH connections
pass in proto tcp to $ext_if port 22
# accept webeservers connections
pass in proto tcp to $ext_if port $webports
# accept icmp
pass in proto icmp all
## allow incoming messages from DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546
## packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2
## router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134
## neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135
## neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136
## allow all connections initiated from this system,
## including DHCP requests
pass out
answered Mar 16 at 22:28
elbarna
3,79393477
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Solution found,using this basic,but working .conf
copied from here and edited
# Vars
ext_if="net0"
int_if="vnic0"
webports="443, 80"
## make IP reassembly work
set reassemble yes no-df
## ignore loopback traffic
set skip on lo0
# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all
# accept incoming SSH connections
pass in proto tcp to $ext_if port 22
# accept webeservers connections
pass in proto tcp to $ext_if port $webports
# accept icmp
pass in proto icmp all
## allow incoming messages from DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546
## packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2
## router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134
## neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135
## neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136
## allow all connections initiated from this system,
## including DHCP requests
pass out
answered Mar 16 at 22:28
elbarna
3,79393477
Solution found,using this basic,but working .conf
copied from here and edited
# Vars
ext_if="net0"
int_if="vnic0"
webports="443, 80"
## make IP reassembly work
set reassemble yes no-df
## ignore loopback traffic
set skip on lo0
# block everything unless told otherwise
# and send TCP-RST/ICMP unreachable
# for every packet which gets blocked
block return in log all
pass out all
# accept incoming SSH connections
pass in proto tcp to $ext_if port 22
# accept webeservers connections
pass in proto tcp to $ext_if port $webports
# accept icmp
pass in proto icmp all
## allow incoming messages from DHCP
pass in inet proto udp from port 67 to port 68
pass in inet6 proto udp from port 547 to port 546
## packet too big - needed for PMTUD
pass in inet6 proto ipv6-icmp icmp6-type 2
## router advertisement
pass in inet6 proto ipv6-icmp icmp6-type 134
## neighbor solicitation
pass in inet6 proto ipv6-icmp icmp6-type 135
## neighbor advertisement
pass in inet6 proto ipv6-icmp icmp6-type 136
## allow all connections initiated from this system,
## including DHCP requests
pass out
answered Mar 16 at 22:28
elbarna
3,79393477
edited Mar 17 at 0:07
answered Mar 16 at 22:28
elbarna
3,79393477
answered Mar 16 at 22:28
elbarna
3,79393477
answered Mar 16 at 22:28
elbarna
3,79393477
3,79393477
add a comment |Â
add a comment |Â
Â
draft saved
draft discarded
Â
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f430692%2fbsd-packet-filter-on-solaris-why-ping-not-allowed%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
