Vyos 1.3.2 set firewall all-ping 'enable' - doesn't appear to work

Net_Admin · March 22, 2023, 1:33pm

Hello,
I’m having an issue where the " set firewall all-ping ‘enable’ "command does not appear to work as expected. ICMP only works when I add an rule to the OUTSIDE local firewall rule as below.

set firewall name OUTSIDE-LOCAL rule 10 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 10 protocol ‘icmp’
set firewall name OUTSIDE-LOCAL rule 10 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state related ‘enable’

I read the docs on 1.3.2 highlighted below but the only caveat I see is that this would fail if you have an explicit rule such as “deny icmp” in one the local rules. I do not have this, I do however have the default rule set to drop but this is expected. Any ideas or anyone else seeing this?

## Global settings

Some firewall settings are global and have an affect on the whole system.

set firewall all-ping [enable | disable]

By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall.

With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general firewall all-ping command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic.

Note

firewall all-ping affects only to LOCAL and it always behaves in the most restrictive way

set firewall all-ping enable

When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests.

set firewall all-ping disable

When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them.’

thanks,

a.hajiyev · March 22, 2023, 1:46pm

Hi @Net_Admin from where you are trying to ping your router?

Net_Admin · March 22, 2023, 1:51pm

I have a single p2p /30 interface on the firewall. I can ping back and forth with the ICMP rule added to outside-local rule set but without it, ping does not work.

a.hajiyev · March 22, 2023, 1:59pm

It should work without any problem (by default). Maybe some of your firewall rules are affecting it. Can you please share your firewall configuration?

Net_Admin · March 22, 2023, 2:16pm

Here is my ruleset for the OUTSIDE-LOCAL and ancillary firewall settings. The interface is also bonded to a through rule called OUTSIDE-IN but I do not believe that ruleset to be relevant to this issue.

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall name OUTSIDE-LOCAL default-action ‘drop’
set firewall name OUTSIDE-LOCAL enable-default-log
set firewall name OUTSIDE-LOCAL rule 10 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 10 protocol ‘udp’
set firewall name OUTSIDE-LOCAL rule 10 source group network-group ‘ALLOW_IPSEC_FROM’
set firewall name OUTSIDE-LOCAL rule 10 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state related ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 20 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 20 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 20 source group network-group ‘ALLOW_SSH_FROM’
set firewall name OUTSIDE-LOCAL rule 20 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 state related ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘icmp’
set firewall name OUTSIDE-LOCAL rule 30 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 state related ‘enable’

set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’

set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘disable’
set interfaces ethernet eth0 firewall in name ‘OUTSIDE-IN’
set interfaces ethernet eth0 firewall local name ‘OUTSIDE-LOCAL’

Net_Admin · March 22, 2023, 2:34pm

j.bordon, I don’t follow. The explicit rule in OUTSIDE-LOCAL allows for ICMP because the default rule

set firewall all-ping ‘enable’ is not working for some reason. That the issue that we are having. I agree that if a rule were blocking ahead of a rule that was allowing it would be a problem. I can’t see where that would possibly be happening.

looking at the firewall stats below, when I remove the explicit ICMP rule 30 from OUTSIDE-LOCAL the drop counter increments for the default drop rule 100000029 for the OUTSIDE-LOCAL firewall.

IPv4 Firewall “OUTSIDE-IN”:

Active on (eth0,IN)

rule packets bytes action source destination

10 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
20 8.88K 404.85K ACCEPT 0.0.0.0/0 0.0.0.0/0
30 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
10000000 0 DROP 0.0.0.0/0 0.0.0.0/0

IPv4 Firewall “OUTSIDE-LOCAL”:

Active on (eth0,LOCAL)

rule packets bytes action source destination

10 8.92K 1.09M ACCEPT 0.0.0.0/0 0.0.0.0/0
20 13.49K 1.36M ACCEPT 0.0.0.0/0 0.0.0.0/0
100000029 1.94K DROP 0.0.0.0/0 0.0.0.0/0

IPv4 Firewall “SECURE”:

Active on (eth1,IN)

rule packets bytes action source destination

10 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
20 9.13K 632.21K ACCEPT 0.0.0.0/0 0.0.0.0/0
30 0 0 ACCEPT 0.0.0.0/0 0.0.0.0/0
10000000 0 DROP 0.0.0.0/0 0.0.0.0/0

a.hajiyev · March 22, 2023, 2:45pm

@Net_Admin because you put
set firewall name OUTSIDE-LOCAL default-action ‘drop’
this blocks all and accepts which is allowed by your rules. I have checked it in my lab as well

a.hajiyev · March 22, 2023, 2:50pm

It overrides default firewall setting and then you put (I mean set firewall name OUTSIDE-LOCAL default-action ‘drop’)

set firewall name OUTSIDE-LOCAL rule 30 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘icmp’
set firewall name OUTSIDE-LOCAL rule 30 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 state related ‘enable’

and this allows your pings.

Net_Admin · March 22, 2023, 4:03pm

Ok so am I to understand when you turn Vyos into a firewall the default rules related to ping are now overridden? Meaning that they are generally meant for the “all ping” to work when vyos is in router mode?

pepe · March 22, 2023, 5:07pm

Default setting for set firewall all-ping is enable.

This option has nothing to do with the firewall, and It sets a system parameter net.ipv4.icmp_echo_ignore_all, default 0 which mean set firewall all-ping enable.

Net_Admin · March 22, 2023, 5:13pm

pepe, so based on your logic this should work? the default “set firewall all-ping enable” This should suffice even in the absence of an explicit allow icmp rule?

pepe · March 22, 2023, 5:44pm

As I wrote, this option has nothing to do with the firewall, in the sense of iptables / nftables.
It only changes a system parameter net.ipv4.icmp_echo_ignore_all.