Firewall ipfw in FreeBSD
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I have a doubt respect to the functionality of the IPFW firewall in FreeBSD. My scenario is the following:
All these machines are running FreeBSD, and all of them are virtual machines. The thing is that I don't understand one thing. If I add a rule in IPFW in the firewall machine to block pings from machine 2 to machine 1, I don't know why this block is bidirectional. I mean, I put this rule:
ipfw add 02000 deny icmp from 10.0.2.2 to 10.0.1.2
With this I understand that the firewall will block any ICMP packet coming from 10.0.2.2
(machine on the right in the picture) to 10.0.1.2
(machine on the left in the picture), but what really happens is that ok, machine 2 cannot ping to machine 1, but machine 1 cannot ping machine 2 either! Why is that? The rules of IPFW are the following:
Pictures of the pings:
freebsd ping ipfw
add a comment |Â
up vote
1
down vote
favorite
I have a doubt respect to the functionality of the IPFW firewall in FreeBSD. My scenario is the following:
All these machines are running FreeBSD, and all of them are virtual machines. The thing is that I don't understand one thing. If I add a rule in IPFW in the firewall machine to block pings from machine 2 to machine 1, I don't know why this block is bidirectional. I mean, I put this rule:
ipfw add 02000 deny icmp from 10.0.2.2 to 10.0.1.2
With this I understand that the firewall will block any ICMP packet coming from 10.0.2.2
(machine on the right in the picture) to 10.0.1.2
(machine on the left in the picture), but what really happens is that ok, machine 2 cannot ping to machine 1, but machine 1 cannot ping machine 2 either! Why is that? The rules of IPFW are the following:
Pictures of the pings:
freebsd ping ipfw
2
What evidence do you have that the ICMP packets from machine 1 do not make it through the firewall to machine 2? Please provide details.ping
would not be successful, since the return packet from machine 2 would not make it through the firewall to machine 1.
â cherdt
Apr 27 at 14:45
1
Ahh thats truee, the response of machine 2 will not arrive to machine 1 because of firewall. Thanks!!
â victor26567
Apr 27 at 14:54
1
Don't post a screenshot of text. Copy-paste the text.
â Gilles
Apr 29 at 15:20
@cherdt Since your comment is a good answer please added as one.
â Raphael Ahrens
May 1 at 9:07
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I have a doubt respect to the functionality of the IPFW firewall in FreeBSD. My scenario is the following:
All these machines are running FreeBSD, and all of them are virtual machines. The thing is that I don't understand one thing. If I add a rule in IPFW in the firewall machine to block pings from machine 2 to machine 1, I don't know why this block is bidirectional. I mean, I put this rule:
ipfw add 02000 deny icmp from 10.0.2.2 to 10.0.1.2
With this I understand that the firewall will block any ICMP packet coming from 10.0.2.2
(machine on the right in the picture) to 10.0.1.2
(machine on the left in the picture), but what really happens is that ok, machine 2 cannot ping to machine 1, but machine 1 cannot ping machine 2 either! Why is that? The rules of IPFW are the following:
Pictures of the pings:
freebsd ping ipfw
I have a doubt respect to the functionality of the IPFW firewall in FreeBSD. My scenario is the following:
All these machines are running FreeBSD, and all of them are virtual machines. The thing is that I don't understand one thing. If I add a rule in IPFW in the firewall machine to block pings from machine 2 to machine 1, I don't know why this block is bidirectional. I mean, I put this rule:
ipfw add 02000 deny icmp from 10.0.2.2 to 10.0.1.2
With this I understand that the firewall will block any ICMP packet coming from 10.0.2.2
(machine on the right in the picture) to 10.0.1.2
(machine on the left in the picture), but what really happens is that ok, machine 2 cannot ping to machine 1, but machine 1 cannot ping machine 2 either! Why is that? The rules of IPFW are the following:
Pictures of the pings:
freebsd ping ipfw
edited Apr 29 at 15:19
Gilles
504k1199951522
504k1199951522
asked Apr 27 at 14:23
victor26567
63
63
2
What evidence do you have that the ICMP packets from machine 1 do not make it through the firewall to machine 2? Please provide details.ping
would not be successful, since the return packet from machine 2 would not make it through the firewall to machine 1.
â cherdt
Apr 27 at 14:45
1
Ahh thats truee, the response of machine 2 will not arrive to machine 1 because of firewall. Thanks!!
â victor26567
Apr 27 at 14:54
1
Don't post a screenshot of text. Copy-paste the text.
â Gilles
Apr 29 at 15:20
@cherdt Since your comment is a good answer please added as one.
â Raphael Ahrens
May 1 at 9:07
add a comment |Â
2
What evidence do you have that the ICMP packets from machine 1 do not make it through the firewall to machine 2? Please provide details.ping
would not be successful, since the return packet from machine 2 would not make it through the firewall to machine 1.
â cherdt
Apr 27 at 14:45
1
Ahh thats truee, the response of machine 2 will not arrive to machine 1 because of firewall. Thanks!!
â victor26567
Apr 27 at 14:54
1
Don't post a screenshot of text. Copy-paste the text.
â Gilles
Apr 29 at 15:20
@cherdt Since your comment is a good answer please added as one.
â Raphael Ahrens
May 1 at 9:07
2
2
What evidence do you have that the ICMP packets from machine 1 do not make it through the firewall to machine 2? Please provide details.
ping
would not be successful, since the return packet from machine 2 would not make it through the firewall to machine 1.â cherdt
Apr 27 at 14:45
What evidence do you have that the ICMP packets from machine 1 do not make it through the firewall to machine 2? Please provide details.
ping
would not be successful, since the return packet from machine 2 would not make it through the firewall to machine 1.â cherdt
Apr 27 at 14:45
1
1
Ahh thats truee, the response of machine 2 will not arrive to machine 1 because of firewall. Thanks!!
â victor26567
Apr 27 at 14:54
Ahh thats truee, the response of machine 2 will not arrive to machine 1 because of firewall. Thanks!!
â victor26567
Apr 27 at 14:54
1
1
Don't post a screenshot of text. Copy-paste the text.
â Gilles
Apr 29 at 15:20
Don't post a screenshot of text. Copy-paste the text.
â Gilles
Apr 29 at 15:20
@cherdt Since your comment is a good answer please added as one.
â Raphael Ahrens
May 1 at 9:07
@cherdt Since your comment is a good answer please added as one.
â Raphael Ahrens
May 1 at 9:07
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
You can confirm whether or not machine 2 is receiving and responding to ICMP packets using tcpdump
, e.g.:
sudo tcpdump -i eth0 icmp
In the case you have described, ping
would not be successful because the return packet from machine 2 would be blocked by the firewall on machine 1.
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
You can confirm whether or not machine 2 is receiving and responding to ICMP packets using tcpdump
, e.g.:
sudo tcpdump -i eth0 icmp
In the case you have described, ping
would not be successful because the return packet from machine 2 would be blocked by the firewall on machine 1.
add a comment |Â
up vote
0
down vote
You can confirm whether or not machine 2 is receiving and responding to ICMP packets using tcpdump
, e.g.:
sudo tcpdump -i eth0 icmp
In the case you have described, ping
would not be successful because the return packet from machine 2 would be blocked by the firewall on machine 1.
add a comment |Â
up vote
0
down vote
up vote
0
down vote
You can confirm whether or not machine 2 is receiving and responding to ICMP packets using tcpdump
, e.g.:
sudo tcpdump -i eth0 icmp
In the case you have described, ping
would not be successful because the return packet from machine 2 would be blocked by the firewall on machine 1.
You can confirm whether or not machine 2 is receiving and responding to ICMP packets using tcpdump
, e.g.:
sudo tcpdump -i eth0 icmp
In the case you have described, ping
would not be successful because the return packet from machine 2 would be blocked by the firewall on machine 1.
answered May 2 at 15:29
cherdt
6341414
6341414
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f440436%2ffirewall-ipfw-in-freebsd%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
2
What evidence do you have that the ICMP packets from machine 1 do not make it through the firewall to machine 2? Please provide details.
ping
would not be successful, since the return packet from machine 2 would not make it through the firewall to machine 1.â cherdt
Apr 27 at 14:45
1
Ahh thats truee, the response of machine 2 will not arrive to machine 1 because of firewall. Thanks!!
â victor26567
Apr 27 at 14:54
1
Don't post a screenshot of text. Copy-paste the text.
â Gilles
Apr 29 at 15:20
@cherdt Since your comment is a good answer please added as one.
â Raphael Ahrens
May 1 at 9:07