[Firehol-support] Why this ICMP call is blocked?

Tsaousis, Costa costa at tsaousis.gr
Tue Feb 24 20:14:24 CET 2015


Kari, the connection tracker sees the packet you are trying to send as INVALID.
Even if you set the interface to 'policy accept', the packet is still dropped.

With the github version of firehol, you will see this logged (instead
of OUT-myif1, it will log INVALID).

This is what I get:

Feb 24 21:12:30 box INVALID OUT: IN= OUT=eth0 MAC= SRC=10.11.12.1
DST=10.11.12.11 LEN=122 TOS=00 PREC=0x00 TTL=64 ID=52593 DF PROTO=ICMP
TYPE=255 CODE=255 UID=0 GID=0 MARK=0

I guess TYPE=255 CODE=255 are not recognized.

I tried to check what wakeonlan does (it's a little perl script). It
sends (by default) a udp/9 (discard) packet, not an ICMP. And this is
accepted by the connection tracker as a valid packet.

Hope this helps...

Costa

On Tue, Feb 24, 2015 at 9:41 AM, Kari Lempiainen <lemppari at iki.fi> wrote:
> Hi Costa,
>
> Thanks for help! I'm using a short self coded program. You can find the
> source here: https://dl.dropboxusercontent.com/u/13407959/wake.c You need to
> change target MAC address and ip-name (target variable) to run it correctly,
> but you should get the error running it as it is.
>
> Kari
>
> On 24 February 2015 at 00:32, Tsaousis, Costa <costa at tsaousis.gr> wrote:
>>
>> Hi Kari,
>>
>> To my understanding the iptables connection tracker does not see this
>> as a NEW connection.
>> FireHOL trusts the iptables connection tracker...
>>
>> Which program do you use to send this wake on lan packet? I'll try to
>> reproduce it and check what happens...
>>
>> Costa
>>
>>
>>
>> On Mon, Feb 23, 2015 at 11:15 PM, Kari Lempiainen <lemppari at iki.fi> wrote:
>> > Hi,
>> >
>> >
>> > I feel stupid. I have a short program which sends a "Wake On Lan" packet
>> > to
>> > a computer in my local network. Protocol is ICMP. The sending computer
>> > is
>> > 192.168.2.8 and target is 192.168.2.5. When I run my program I get
>> > “sendto:
>> > Operation not permitted” and the syslog tells me this:
>> >
>> > 'firehol: 'OUT-myif1':'IN= OUT=eth0 SRC=192.168.2.8 DST=192.168.2.5
>> > LEN=122
>> > TOS=0x00 PREC=0x00 TTL=64 ID=52172 DF PROTO=ICMP TYPE=255 CODE=255
>> >
>> >
>> > In my firehol.conf file I have:
>> >
>> > interface eth0 myif1 src "192.168.2.0/24" dst 192.168.2.8
>> >
>> > policy drop
>> >
>> > [lines removed]
>> >
>> > client all accept
>> >
>> >
>> > Why the packet is dropped? Doesn’t "client all accept” mean that
>> > 192.168.2.8 can send anything?
>> >
>> >
>> > Kari
>> > _______________________________________________
>> > Firehol-support mailing list
>> > Firehol-support at lists.firehol.org
>> > http://lists.firehol.org/mailman/listinfo/firehol-support
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support
>
>


More information about the Firehol-support mailing list