# Why I can't ping out?



## fender0107401 (Mar 20, 2010)

This is my ipfw.rules. :e


```
################################################################################

# delete all rules

ipfw -q -f flush       

# variable declaration

nic="re0"

dns1="+"

dns2="+"

dhcp="192.168.1.1"

cmd="ipfw -q add "     

ks="keep-state"       

################################################################################

# loopback

$cmd 00100 allow all from any to any via lo0

$cmd 00200 check-state

################################################################################

$cmd 00300 allow tcp from any to $dns1 53 out via $nic setup $ks

$cmd 00400 allow udp from any to $dns2 53 out via $nic $ks

$cmd 00500 allow tcp from any to $dns1 53 out via $nic setup $ks

$cmd 00600 allow udp from any to $dns2 53 out via $nic $ks

$cmd 00700 allow udp from any to $dhcp 67 out via $nic $ks

################################################################################

# www

$cmd 00800 allow tcp from any to any 80 out via $nic setup $ks

# secure www

$cmd 00920 allow tcp from any to any 443 out via $nic setup $ks

# email

$cmd 01000 allow tcp from any to any 587 out via $nic setup $ks

$cmd 01100 allow tcp from any to any 995 out via $nic setup $ks

# ftp

$cmd 01200 allow tcp from any to any 21 out via $nic setup $ks

$cmd 01300 allow tcp from any to any 1024-65535 out via $nic setup $ks

# irc

$cmd 01400 allow tcp from any to any 7000 out via $nic setup $ks

# ntp

$cmd 01500 allow udp from any to any 123 out via $nic $ks

# csup

[B]$cmd 01600 allow tcp from me to any out via $nic setup $ks uid root[/B]

# ping

[B]$cmd 01700 allow icmp from any to any out via $nic setup $ks[/B]

################################################################################
```

1. I don't know why I can't ping out? 


```
> ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
ping: sendto: Permission denied
^C
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

> ping `hostname`
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.034 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.040 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.033 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.041 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.040 ms
^C
--- localhost ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.033/0.038/0.041/0.003 ms
```

2. Can I change "from any to any" to "from me to any" (like 01600)to enhance the security? 

From ipfw (8):



> any     matches any IP address.
> me      matches any IP address configured on an interface in the system.



I think I can change "from any to any" to "from me to any" with rules via my nic excepting that related with lo0.

I am not sure. 

3. whether need add other rules to support the other device (fwe0, plip0 and fwip0)? 

This is my ifconfig command output:


```
> ifconfig 
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 00:1f:d0:d8:8c:07
	inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ea:ae:00:1f:d0
	ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	lladdr 0.ea.ae.2a.0.0.1f.d0.a.2.ff.fe.0.0.0.0
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	options=3<RXCSUM,TXCSUM>
	inet 127.0.0.1 netmask 0xff000000
```


----------



## jailed (Mar 20, 2010)

When you send icmp packet the target must return you

Can you try this for rule 1700 to send ping:

```
$cmd 01700 allow icmp from any to any via $nic setup $ks
```


----------



## fender0107401 (Mar 21, 2010)

I got it. I deleted "setup".

Wrong:

```
$cmd 01700 allow icmp from any to any out via $nic [B]setup[/B] $ks
```

Right:

```
$cmd 01700 allow icmp from any to any out via $nic $ks
```


----------

