[Firehol-support] Why this ICMP call is blocked?

Kari Lempiainen lemppari at iki.fi
Tue Feb 24 21:52:27 CET 2015


Thanks Costa! It sure did help. I didn't suspect any code problems since
the code had been working for about 10 years. It was a quick and dirty code
just to get the job done then. And it still works fine when the iptables
are in all allow mode. After changing to new Linux distro and Firehol
generated iptables it stopped working, so I suspected the problem was in
firewall, not in program.

I rewrote the code and now it works fine with Firehole generated iptables
and doesn't even require root permission.

Thanks again!

On 24 February 2015 at 21:14, Tsaousis, Costa <costa at tsaousis.gr> wrote:

> Kari, the connection tracker sees the packet you are trying to send as
> INVALID.
> Even if you set the interface to 'policy accept', the packet is still
> dropped.
>
> With the github version of firehol, you will see this logged (instead
> of OUT-myif1, it will log INVALID).
>
> This is what I get:
>
> Feb 24 21:12:30 box INVALID OUT: IN= OUT=eth0 MAC= SRC=10.11.12.1
> DST=10.11.12.11 LEN=122 TOS=00 PREC=0x00 TTL=64 ID=52593 DF PROTO=ICMP
> TYPE=255 CODE=255 UID=0 GID=0 MARK=0
>
> I guess TYPE=255 CODE=255 are not recognized.
>
> I tried to check what wakeonlan does (it's a little perl script). It
> sends (by default) a udp/9 (discard) packet, not an ICMP. And this is
> accepted by the connection tracker as a valid packet.
>
> Hope this helps...
>
> Costa
>
> On Tue, Feb 24, 2015 at 9:41 AM, Kari Lempiainen <lemppari at iki.fi> wrote:
> > Hi Costa,
> >
> > Thanks for help! I'm using a short self coded program. You can find the
> > source here: https://dl.dropboxusercontent.com/u/13407959/wake.c You
> need to
> > change target MAC address and ip-name (target variable) to run it
> correctly,
> > but you should get the error running it as it is.
> >
> > Kari
> >
> > On 24 February 2015 at 00:32, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> >>
> >> Hi Kari,
> >>
> >> To my understanding the iptables connection tracker does not see this
> >> as a NEW connection.
> >> FireHOL trusts the iptables connection tracker...
> >>
> >> Which program do you use to send this wake on lan packet? I'll try to
> >> reproduce it and check what happens...
> >>
> >> Costa
> >>
> >>
> >>
> >> On Mon, Feb 23, 2015 at 11:15 PM, Kari Lempiainen <lemppari at iki.fi>
> wrote:
> >> > Hi,
> >> >
> >> >
> >> > I feel stupid. I have a short program which sends a "Wake On Lan"
> packet
> >> > to
> >> > a computer in my local network. Protocol is ICMP. The sending computer
> >> > is
> >> > 192.168.2.8 and target is 192.168.2.5. When I run my program I get
> >> > “sendto:
> >> > Operation not permitted” and the syslog tells me this:
> >> >
> >> > 'firehol: 'OUT-myif1':'IN= OUT=eth0 SRC=192.168.2.8 DST=192.168.2.5
> >> > LEN=122
> >> > TOS=0x00 PREC=0x00 TTL=64 ID=52172 DF PROTO=ICMP TYPE=255 CODE=255
> >> >
> >> >
> >> > In my firehol.conf file I have:
> >> >
> >> > interface eth0 myif1 src "192.168.2.0/24" dst 192.168.2.8
> >> >
> >> > policy drop
> >> >
> >> > [lines removed]
> >> >
> >> > client all accept
> >> >
> >> >
> >> > Why the packet is dropped? Doesn’t "client all accept” mean that
> >> > 192.168.2.8 can send anything?
> >> >
> >> >
> >> > Kari
> >> > _______________________________________________
> >> > Firehol-support mailing list
> >> > Firehol-support at lists.firehol.org
> >> > http://lists.firehol.org/mailman/listinfo/firehol-support
> >> _______________________________________________
> >> Firehol-support mailing list
> >> Firehol-support at lists.firehol.org
> >> http://lists.firehol.org/mailman/listinfo/firehol-support
> >
> >
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
>


More information about the Firehol-support mailing list