# [NAS4Free] Ping sendto: permission denied



## colinb4987 (Apr 22, 2013)

Hi all,

First of all, let me make clear that I am running NAS4Free - I am aware of the forum rules and have already posted on their forums a couple of days ago, but have not yet had a response. Second of all, I'm not sure if this topic belongs in this (Networking) subforum, or in the related Firewall subforum - apologies if it's in the wrong place. _ [ Moved to Firewall forum due to 'Permission denied' error -- Mod. ]_

The background is that I set up a NAS to play with, get happy/comfortable with *BSD etc., and am now in the process of settling down to do a clean full install with just the packages/modifications I want. The problem I'm having though, is that I'm unable to ping out of the the machine, nor ping to it. Can anyone help? I've included below all the outputs I can think of that might be useful, but at the moment I'm still such a novice there are likely more needed.

Installation settings were DHCP (I will change to static at a later date), and auto for IPv6. Settings/outputs are below:
`ifconfig` relevant output:

```
#ifconfig
re0: flags=8843<UP, BROADCAST, RUNNING, SIMPLEX, MULTICAST> metric 0 mtu 1500
         options=8209b<RXCSUM, TXCSUM, VLAN_MTU, VLANHWTAGGING, VLANHWCSUM, WOLMAGIC, LINKSTATE>
         ether 00:01:2e:37:5a:ff
         inet 192.168.1.136 netmask 0xffffff00 broadcast 192.168.1.255
         nd6 options=21<PERFORMNUD, AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000bastT <full-duplex>)
         status: active
ipfw0: flags=8800<SIMPLEX, MUTLICAST> metric 0 mtu 65536
         ng6 options=21<PERFORMNUD, AUTO_LINKLOCAL>
```

Pinging localhost:

```
#ping localhost
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.023ms
```

Pinging router:

```
#ping 192.168.1.1
ping: sendto: Permission denied
```

Checking firewall:

```
#ipfw list
65535 allow ip from any to any
```

Excerpt from /etc/rc.conf:

```
firewall_type="CLIENT"
firewall_script_auxrules="/etc/rc.firewall.auxrules"
```


Check that the router allows pings by pinging router from my Macbook:

```
#ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.889 ms
```

Pinging NAS4Free IP from Macbook:

```
#ping 192.168.1.136
PING 192.168.1.136 (192.168.1.136): 56 data bytes
Request timeout for icmp_seq 0
```


----------



## wblock@ (Apr 22, 2013)

Almost certainly a firewall thing.  What is in /etc/rc.firewall.auxrules?  That appears to be a NAS4Free addition.


----------



## colinb4987 (Apr 22, 2013)

Thanks for the reply (and to the mods for the formatting tweaks - I'll pay more attention from now on!). rc.firewall.auxrules does not exist on this fresh install, and I don't recall seeing it previously. I've put below the contents of rc.firewall should that provide any clues:

```
#!/bin/sh -
#
# Setup system for ipfw(4) firewall service.
#

# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
	if [ -r /etc/defaults/rc.conf ]; then
		. /etc/defaults/rc.conf
		source_rc_confs
	elif [ -r /etc/rc.conf ]; then
		. /etc/rc.conf
	fi
fi

setup_loopback () {
	
	${fwcmd} add 100 pass all from any to any via lo0
	${fwcmd} add 200 deny all from any to 127.0.0.0/8
	${fwcmd} add 300 deny ip from 127.0.0.0/8 to any
}

if [ -n "${1}" ]; then
	firewall_type="${1}"
fi


case ${firewall_quiet} in
[Yy][Ee][Ss])
	fwcmd="/sbin/ipfw -q"
	;;
*)
	fwcmd="/sbin/ipfw"
	;;
esac

############
# Flush out the list before we begin.
#
${fwcmd} -f flush

setup_loopback

############
# Network Address Translation
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
	case ${natd_enable} in
	[Yy][Ee][Ss])
		if [ -n "${natd_interface}" ]; then
			${fwcmd} add 50 divert natd ip4 from any to any via ${natd_interface}
		fi
		;;
	esac
	case ${firewall_nat_enable} in
	[Yy][Ee][Ss])
		if [ -n "${firewall_nat_interface}" ]; then
			if echo "${firewall_nat_interface}" | \
				grep -q -E '^[0-9]+(\.[0-9]+){0,3}$'; then
				firewall_nat_flags="ip ${firewall_nat_interface} ${firewall_nat_flags}"
			else
				firewall_nat_flags="if ${firewall_nat_interface} ${firewall_nat_flags}"
			fi
			${fwcmd} nat 123 config log ${firewall_nat_flags}
			${fwcmd} add 50 nat 123 ip4 from any to any via ${firewall_nat_interface}
		fi
		;;
	esac
esac

# Prototype setups.
#
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
	${fwcmd} add 65000 pass all from any to any
	;;

[Cc][Ll][Ii][Ee][Nn][Tt])
	############
	# This is a prototype setup
	# Configuration:
	#  firewall_client_net:		Network address of local network.
	############

	# set this to your local network
	net="$firewall_client_net"

	# Load auxiliary rules. These are defined via the WebGUI and will be
	# generated from the /etc/rc.d/ipfw script.
	. ${firewall_script_auxrules}
	;;

[Ss][Ii][Mm][Pp][Ll][Ee])
	############
	# This is a prototype setup for a simple firewall.  Configure this
	# machine as a DNS and NTP server, and point all the machines
	# on the inside at this machine for those services.
	#
	# Configuration:
	#  firewall_simple_iif:		Inside network interface.
	#  firewall_simple_inet:	Inside network address.
	#  firewall_simple_oif:		Outside network interface.
	#  firewall_simple_onet:	Outside network address.
	############

	# set these to your outside interface network
	oif="$firewall_simple_oif"
	onet="$firewall_simple_onet"

	# set these to your inside interface network
	iif="$firewall_simple_iif"
	inet="$firewall_simple_inet"

	# Stop spoofing
	${fwcmd} add deny all from ${inet} to any in via ${oif}
	${fwcmd} add deny all from ${onet} to any in via ${iif}

	# Stop RFC1918 nets on the outside interface
	${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
	${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
	${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
	# on the outside interface
	${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
	${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
	${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
	${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
	${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}

	# Network Address Translation.  This rule is placed here deliberately
	# so that it does not interfere with the surrounding address-checking
	# rules.  If for example one of your internal LAN machines had its IP
	# address set to 192.0.2.1 then an incoming packet for it after being
	# translated by natd(8) would match the `deny' rule above.  Similarly
	# an outgoing packet originated from it before being translated would
	# match the `deny' rule below.
	case ${natd_enable} in
	[Yy][Ee][Ss])
		if [ -n "${natd_interface}" ]; then
			${fwcmd} add divert natd all from any to any via ${natd_interface}
		fi
		;;
	esac

	# Stop RFC1918 nets on the outside interface
	${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
	${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
	${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}

	# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes RESERVED-1,
	# DHCP auto-configuration, NET-TEST, MULTICAST (class D), and class E)
	# on the outside interface
	${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
	${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
	${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
	${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
	${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}

	# Allow TCP through if setup succeeded
	${fwcmd} add pass tcp from any to any established

	# Allow IP fragments to pass through
	${fwcmd} add pass all from any to any frag

	# Allow setup of incoming email
	${fwcmd} add pass tcp from any to me 25 setup

	# Allow access to our DNS
	${fwcmd} add pass tcp from any to me 53 setup
	${fwcmd} add pass udp from any to me 53
	${fwcmd} add pass udp from me 53 to any

	# Allow access to our WWW
	${fwcmd} add pass tcp from any to me 80 setup

	# Reject&Log all setup of incoming connections from the outside
	${fwcmd} add deny log tcp from any to any in via ${oif} setup

	# Allow setup of any other TCP connection
	${fwcmd} add pass tcp from any to any setup

	# Allow DNS queries out in the world
	${fwcmd} add pass udp from me to any 53 keep-state

	# Allow NTP queries out in the world
	${fwcmd} add pass udp from me to any 123 keep-state

	# Everything else is denied by default, unless the
	# IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel
	# config file.
	;;

[Ww][Oo][Rr][Kk][Ss][Tt][Aa][Tt][Ii][Oo][Nn])
	# Configuration:
	#  firewall_myservices:		List of TCP ports on which this host
	#			 	 offers services.
	#  firewall_allowservices:	List of IPs which has access to
	#				 $firewall_myservices.
	#  firewall_trusted:		List of IPs which has full access 
	#				 to this host. Be very carefull 
	#				 when setting this. This option can
	#				 seriously degrade the level of 
	#				 protection provided by the firewall.
	#  firewall_logdeny:		Boolean (YES/NO) specifying if the
	#				 default denied packets should be
	#				 logged (in /var/log/security).
	#  firewall_nologports:		List of TCP/UDP ports for which
	#				 denied incomming packets are not
	#				 logged.
	
	# Allow packets for which a state has been built.
	${fwcmd} add check-state

	# For services permitted below.
	${fwcmd} add pass tcp  from me to any established

	# Allow any connection out, adding state for each.
	${fwcmd} add pass tcp  from me to any setup keep-state
	${fwcmd} add pass udp  from me to any       keep-state
	${fwcmd} add pass icmp from me to any       keep-state

	# Allow DHCP.
	${fwcmd} add pass udp  from 0.0.0.0 68 to 255.255.255.255 67 out
	${fwcmd} add pass udp  from any 67     to me 68 in
	${fwcmd} add pass udp  from any 67     to 255.255.255.255 68 in
	# Some servers will ping the IP while trying to decide if it's 
	# still in use.
	${fwcmd} add pass icmp from any to any icmptype 8

	# Allow "mandatory" ICMP in.
	${fwcmd} add pass icmp from any to any icmptype 3,4,11
	
	# Add permits for this workstations published services below
	# Only IPs and nets in firewall_allowservices is allowed in.
	# If you really wish to let anyone use services on your 
	# workstation, then set "firewall_allowservices='any'" in /etc/rc.conf
	#
	# Note: We don't use keep-state as that would allow DoS of
	#       our statetable. 
	#       You can add 'keep-state' to the lines for slightly
	#       better performance if you fell that DoS of your
	#       workstation won't be a problem.
	#
	for i in ${firewall_allowservices} ; do
	  for j in ${firewall_myservices} ; do
	    ${fwcmd} add pass tcp from $i to me $j
	  done
	done

	# Allow all connections from trusted IPs.
	# Playing with the content of firewall_trusted could seriously
	# degrade the level of protection provided by the firewall.
	for i in ${firewall_trusted} ; do
	  ${fwcmd} add pass ip from $i to me
	done
	
	${fwcmd} add 65000 count ip from any to any

	# Drop packets to ports where we don't want logging
	for i in ${firewall_nologports} ; do
	  ${fwcmd} add deny { tcp or udp } from any to any $i in
	done

	# Broadcasts and muticasts
	${fwcmd} add deny ip  from any to 255.255.255.255
	${fwcmd} add deny ip  from any to 224.0.0.0/24 in	# XXX

	# Noise from routers
	${fwcmd} add deny udp from any to any 520 in

	# Noise from webbrowsing.
	# The statefull filter is a bit agressive, and will cause some
	#  connection teardowns to be logged.
	${fwcmd} add deny tcp from any 80,443 to any 1024-65535 in

	# Deny and (if wanted) log the rest unconditionally.
	log=""
	if [ ${firewall_logdeny:-x} = "YES" -o ${firewall_logdeny:-x} = "yes" ] ; then
	  log="log logamount 500"	# The default of 100 is too low.
	  sysctl net.inet.ip.fw.verbose=1 >/dev/null
	fi
	${fwcmd} add deny $log ip from any to any
	;;

[Cc][Ll][Oo][Ss][Ee][Dd])
	${fwcmd} add 65000 deny ip from any to any
	;;
[Uu][Nn][Kk][Nn][Oo][Ww][Nn])
	;;
*)
	if [ -r "${firewall_type}" ]; then
		${fwcmd} ${firewall_flags} ${firewall_type}
	fi
	;;
esac
```


----------



## colinb4987 (Apr 22, 2013)

As I was looking into rc.conf just now, I tried, on a whim, setting 
	
	



```
firewall_type="CLIENT"
```
 to 
	
	



```
firewall_type="OPEN"
```
and lo and behold, I can now freely ping across the network. I don't think this has addressed the root cause of my issues, but at least for now it's functioning...!


----------



## wblock@ (Apr 22, 2013)

That file is somewhat customized.  WORKSTATION is probably more like what you need.


----------



## colinb4987 (Apr 22, 2013)

Good to know, I'll look into it. Thanks for the pointers @wblock@.


----------

