[Shorewall-users] trouble with ICMP requests

Fri, 29 Oct 2021 03:55:39 -0700 

Hi,

I am unable to figure out why "lan" hosts can ping 13.107.4.51 and
13.107.4.53 but not 13.107.4.52 (www.msftconnecttest.com).
>From the Shorewall Firewall itself I **can** ping 13.107.4.52.
>From that same firewall if I run the following command I see no ICMP
requests when pinging from a host in lan/lan1/lan13 zones:

# tcpdump -n -i wan host 13.107.4.52 and icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
36 packets received by filter
0 packets dropped by kernel

The wan interface is for the wan zone (internet).

However, I do see ICMP requests coming in on the local interface:

# tcpdump -n -i lan.1 host 13.107.4.52 and icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lan.1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:07:30.787799 IP 10.215.111.210 > 13.107.4.52: ICMP echo request, id
1, seq 30901, length 40
11:07:35.570882 IP 10.215.111.210 > 13.107.4.52: ICMP echo request, id
1, seq 30902, length 40

If I trace ICMP traffic for the other 2 IP addresses I can see both
requests and replies on the wan interface:

# tcpdump -n -i wan host 13.107.4.51 and icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan, link-type EN10MB (Ethernet), capture size 262144 bytes
11:10:32.783603 IP 10.215.111.210 > 13.107.4.51: ICMP echo request, id
1, seq 30918, length 40
11:10:32.798775 IP 13.107.4.51 > 10.215.111.210: ICMP echo reply, id
1, seq 30918, length 40
11:10:33.788524 IP 10.215.111.210 > 13.107.4.51: ICMP echo request, id
1, seq 30919, length 40
11:10:33.803409 IP 13.107.4.51 > 10.215.111.210: ICMP echo reply, id
1, seq 30919, length 40

I have no special rule for 13.107.4.52 so I don't understand why the
ICMP requests (or HTTP requests for that matter) are not going out the
wan interface.

Any clues?

A shorewall dump taken while pinging from lan.1 host with IP addr.
10.215.111.210 to 13.107.4.52 can be found here:

https://drive.google.com/file/d/1yMBPe1skzmg9Y5wzYXvKLsaQyPELHreu/view?usp=sharing

Regards,

Vieri


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to