wmoran at potentialtech.com
Thu Mar 29 18:36:18 UTC 2007
In response to "Michael Grant" <mg-fbsd3 at grant.org>:
> Is there
> On 3/29/07, Bill Moran <wmoran at potentialtech.com> wrote:
> > In response to "Michael Grant" <mg-fbsd3 at grant.org>:
> > > A while ago I installed 6.1 on a box. I noticed that I cannot ping
> > > this box even though I can log into it. The pings are arriving at the
> > > box because I can see them with tcp dump. They're not being blocked
> > > by ipf because nothing shows up in ipmon. I added rules specifically
> > > to allow icmp in ipfw, even though ipfw was wide open allowing
> > > everything in and out. My box still does not respond to pings. Is
> > > there something I need to do to manually enable pings on freebsd 6?
> > There is nothing special that needs done for FreeBSD 6 to respond to
> > pings.
> > Are you using IPFW or ipfilter? You seem to indicate that you're using
> > both, which would not be the best of ideas. Post your firewall rules
> > so list members can have a look. Are you sure the machine that is sending
> > pings is not firewalling off the ICMP responses?
Please don't top-post.
> I'm fairly sure the problem is not in ipf, something I've been running
> for years on other machines. If run ipmon, it shows me what's being
> blocked and by which rule. Pings are not being blocked by ipf.
> The relevent ipf rules are:
> block in log on em0 all head 100
> pass in quick proto icmp from any to any keep frags group 100
> block out on em0 all head 200
> pass out quick proto icmp all keep state keep frags group 200
Did you reduce your ruleset to just this and verify that the problem still
exists? If not, please post the rules that are in effect at the time the
Partial rulesets are about as useful to problem diagnosis as a magic 8
> ipfw, which I didn't really intend on using but it seems to be enabled
> anyway, I have this:
Disable IPFW and see if the problem stops. I'm fairly certain ipf and
IPFW are not designed to work together. Even if they are, it adds a
lot of complexity to the problem that doesn't need to be there.
> 10000 allow icmp from any to any icmptypes 8 out
> 10100 allow icmp from any to any icmptypes 0 in
> 10200 allow icmp from any to any icmptypes 11 in
> 65535 allow ip from any to any
> Is there an equivalent of ipmon for ipfw?
> Michael Grant
More information about the freebsd-questions