Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 23 December 2024, 08:29:45 pm

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14262 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  I can not ping from internet to red interface
0 Members and 0 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: I can not ping from internet to red interface  (Read 22415 times)
razametal
Full Member
***
Offline Offline

Posts: 15


« on: Friday 16 July 2010, 06:36:50 am »

Hi,

I've EndianFW 2.4.1 and can not ping from internet to the RED interface.

I'm allowing the ICMP protocol with ports number 8 and 30 on Firewall, system access, I'm attaching an screenshot of the rules that i've applied.

Do I need to setup more rules ? What can be wrong?

Logged
DFen
Full Member
***
Offline Offline

Posts: 46


« Reply #1 on: Sunday 18 July 2010, 11:08:21 pm »

razametal

What are you using as your Internet connection?

Can you confirm your IP is pingable when endian is not connected - i.e. connect a PC via same router to the Internet.

Have you checked that your router allows ping?
Logged
razametal
Full Member
***
Offline Offline

Posts: 15


« Reply #2 on: Tuesday 20 July 2010, 12:42:13 am »

Yes, the IP can reply icmp packets from internet when I connect another device.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #3 on: Tuesday 20 July 2010, 12:54:46 am »

Just a note. System access firewall are meant to access the system (i.e. Endian Firewall), not incoming traffic. I'm seeing a lot of rules related to incoming traffic there.
Did it work this way?

_____________________________________________________________________________________________________________________________
Yo tengo varias reglas de acceso externas pero asignadas a IP's fijas. No tengo necesidad de ofrecer ping ni nada, sólo es acceso administrativo.
Si algo no te funciona activa el logging y empieza a ver los informes de tráfico entrante, a ver si te tira paquetes.
Prueba a poner reglas más permisivas. Por ejemplo <ANY> <RED> <Any Service> con log activado, y ver si así hace ping.
Si hace ping, miras los logs a ver qué está llegando.
Logged
razametal
Full Member
***
Offline Offline

Posts: 15


« Reply #4 on: Tuesday 20 July 2010, 01:55:58 am »

I need these rules applied to make the port redirection works. I'll be testing disbling it.
Logged
DFen
Full Member
***
Offline Offline

Posts: 46


« Reply #5 on: Tuesday 20 July 2010, 02:18:01 am »

I do not have any problems.

In System Access I have:

6     <ANY>     RED     ICMP/8 ICMP/30   ALLOW    icmp ping

So far as I can see the only difference is that I specify RED  instead of uplink main.

Looking at the iptables, it appears to enter the rules in INPUTFW something like this:

 2521  158K ACCEPT     icmp --  eth3   *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/sec burst 5 mode srcip-dstip icmp type 8
    0     0 ACCEPT     icmp --  eth3   *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/sec burst 5 mode srcip-dstip icmp type 30

This will limit the number of pings to 3/sec with an initial burst up to 5.

I tried the following frm an external Linux server:
ping -i 0.01 -c 100 xx.xx.xx.226

--- xx.xx.xx.226 ping statistics ---
100 packets transmitted, 8 received, 92% packet loss, time 1243ms
rtt min/avg/max/mdev = 18.322/18.368/18.409/0.181 ms, pipe 2

However
ping  -c 100 xx.xx.xx.226

--- xx.xx.xx.226 ping statistics ---
100 packets transmitted, 100 received, 0% packet loss, time 99397ms
rtt min/avg/max/mdev = 18.318/27.785/231.654/38.228 ms

This may not help at all - however if you run
iptables -L INPUTFW -nv | grep icmp you will see if the packet/byte counts are zero (first two items on each line)
Logged
DFen
Full Member
***
Offline Offline

Posts: 46


« Reply #6 on: Tuesday 20 July 2010, 02:30:49 am »

I need these rules applied to make the port redirection works. I'll be testing disbling it.


You should not need additional rules where you have set up port forwarding.
PForward is done in the nat table and before routing. It changes the destination address to your defined destination IP, so the traffic is routed from RED to GREEN/ORANGE. Endian will automatically enter rules to allow this!

Logged
razametal
Full Member
***
Offline Offline

Posts: 15


« Reply #7 on: Tuesday 20 July 2010, 02:41:31 am »

Ahh.. great to know it. Then I'll be disbling these system access rules.

Thank you for the information.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.094 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com