# can't ping LAN when pf enable



## meciarz (Jul 21, 2010)

Hello,
I had a problem with ping LAN addresses when my PF is enable. I can ping google.com but can't ping (example) 172.26.8.247 from my LAN.

```
fbsd# ping google.com
PING google.com (209.85.129.99): 56 data bytes
64 bytes from 209.85.129.99: icmp_seq=0 ttl=247 time=33.379 ms
64 bytes from 209.85.129.99: icmp_seq=1 ttl=247 time=31.903 ms
^C
--- google.com ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 31.903/32.641/33.379/0.738 ms
```


```
fbsd# ping 172.26.8.247
PING 172.26.8.247 (172.26.8.247): 56 data bytes
ping: sendto: Operation not permitted
ping: sendto: Operation not permitted
^C
--- 172.26.8.247 ping statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
```
I have pass rule for this address. When I disable pf firewall all works good.

```
fbsd# pfctl -d
pf disabled
fbsd# ping 172.26.8.247
PING 172.26.8.247 (172.26.8.247): 56 data bytes
64 bytes from 172.26.8.247: icmp_seq=0 ttl=128 time=0.515 ms
64 bytes from 172.26.8.247: icmp_seq=1 ttl=128 time=0.373 ms
^C
--- 172.26.8.247 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.373/0.444/0.515/0.071 ms
```
My rules are set to block (IN and OUT) all addresses from LAN except three of them

```
##--- makra ---##
ext_if = "rl0"
int_if = "fxp0"
lan = $int_if:network
gw = "127.0.0.1"
przep = "{ 172.26.8.201, 172.26.8.247, 172.26.8.249 }"
#przep_porty = "{ 20:25, 53, 110, 114, 995, 80, 443, 995 }"

table <sshguard> persist

##--- akceptowane uslugi  ---##
tcp_services = "{ 22, 113 }"
udp_services = "{ 53 }"
icmp_types = "{ echoreq, unreach }"

##--- domyslne odpowiedzi na zablokowane pakiety dla reguly block  ---##
set block-policy drop
##--- logowanie roznego rodz statystyk dla int zew ---##
set loginterface $ext_if

##--- wylaczenie filtrowania dla loopback ---##
set skip on lo

##--- NAT ---##
nat on $ext_if from !($ext_if) to any -> ($ext_if)

##--- przekierowanie ruchu www na squida ---##
no rdr on $int_if proto tcp from $przep to any port www
rdr on $int_if proto tcp from $lan to any port www -> $gw port 3128

##--- domyslnie blokowanie wejscia ---##
block in

##--- puszczenie wyjscia wraz z ich wejsciami ---##
pass out on $ext_if keep state

##--- blokowanie sfalszowanych adresow ---##
antispoof quick for { lo $int_if }

block in quick on $ext_if proto tcp from <sshguard> to any port 22 label "ssh bruteforce"
pass in quick inet proto tcp from any to $ext_if port 22 flags S/SA synproxy state (source-track rule, max-src-conn 3, max-src-conn-rate 2/15, overload <sshguard> flush)

##--- wpuszczenie pakietow ICMP ---##
pass in inet proto icmp all icmp-type $icmp_types

##--- wpuszczenie WSZYSTKIEGO!! na int wew ---##
pass quick on $int_if from $przep to any
block quick on $int_if from $lan to any


#pass in on $ext_if inet proto tcp from 192.168.180.1 to 192.168.180.2 port 22
block on $ext_if  from 192.168.180.1 to any
block on $ext_if  from any to 192.168.180.1
block on $ext_if  from 172.26.8.254 to any
block on $ext_if  from any to 172.26.8.254
```

I don't know what should I correct in my rules


----------



## meciarz (Jul 21, 2010)

ok,
I found what's wrong...
I add 
	
	



```
pass quick on $int_if from any to $przep
```
and it's ok now
My mistake


----------



## h0itm (Nov 4, 2010)

hello Hello, i I ping 8.8.8.8. work It works but [when] i I ping google.com is it does not work.


----------



## SirDice (Nov 4, 2010)

h0itm said:
			
		

> hello, i ping 8.8.8.8 work but i ping google.com   is not work.



Seriously? And we're supposed to find a solution based on this humongous amount of information?


----------



## h0itm (Nov 4, 2010)

SirDice said:
			
		

> Seriously? And we're supposed to find a solution based on this humongous amount of information?



Thanks the pro is slo )


----------



## DutchDaemon (Nov 4, 2010)

Ping 8.8.4.4, should take half the time for the last two hops.


----------



## DutchDaemon (Nov 4, 2010)

So h0itm has no resolver. What's in /etc/resolv.conf? Given the pinged (pung?) destinations, my guess is:


```
nameserver 8.8.8.8
nameserver 8.8.4.4
```

Or it probably should be.


----------



## DutchDaemon (Nov 5, 2010)

Assuming solved ..


----------

