ICMP, outbound Ping on Azure VM

I'd like to use outbound Ping and Traceroute on an Azure VM. These are outbound requests to another server outside of Azure.
Is the Azure firewall blocking outbound ICMP traffic so that Ping is completely blocked?
Can someone please confirm that there is no way for me to Ping another server from a Windows Azure VM?

Hi Shannon,
Instead of using ping, you can use
Psping (or nmap/tcping/portqry/telnet etc.) to test connectivity to a specific port.
For example, if the public port of my RDP endpoint is 50791 -
C:\>psping cljun27ws12.cloudapp.net:50791
PsPing v1.0 - ping, latency, bandwidth measurement utility
Copyright (C) 2012 Mark Russinovich
Sysinternals - www.sysinternals.com
TCP connect to 137.117.73.209:50791:
5 iterations (warmup 1) connecting test:
Connecting to 137.117.73.209:50791 (warmup): 87.26ms
Connecting to 137.117.73.209:50791: 81.35ms
Connecting to 137.117.73.209:50791: 89.43ms
Connecting to 137.117.73.209:50791: 82.92ms
Connecting to 137.117.73.209:50791: 84.83ms
TCP connect statistics for 137.117.73.209:50791:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Minimum = 81.35ms, Maxiumum = 89.43ms, Average = 84.63ms
And while ICMP is blocked externally, if the guest OS firewall in the VM is configured to allow ICMP, you can ping between VMs in the same cloud service or virtual network.
And as Hari mentioned, you can ping between on-premise and a VM if the connectivity is happening with Azure Connect, or with a Virtual Network Gateway.
Thanks,
Craig

Similar Messages

4727550 Advanced & Raw Socket Support (ICMP, ICMPv6, ping, traceroute, ...)

Hi All,
4727550 was a long standing RFE. Before we take any action, I'd like to ask you guys what the requirements are. E.g., do you plan to use raw socket in what kind of application? What features do you want the most? Which platform do you plan to use? etc.
Feel free to add your comments here.
Thanks,
Edward

sjasja wrote:
Its sad to realize at different occasions, that Java
is just not usable for this type of application, e.g.
writing a firewall...Sure it is! You just need some glue between operating system specific APIs and Java.
This is not really a language issue. It's an issue of what language APIs a given OS supports out of the box. Want to write a firewall using C and deploy it on a LISP machine? Be prepared to write some C/LISP glue, just like you'd write Java/C glue to access APIs written in a C-based OS.
C is so widespread, and so many OSes offer C APIs that C seems "universal". But that's just an illusion. The OSes that happen to be most popular at this time in history happen to provide C APIs to most of their functionality (even then you may occasionally need C/assembly glue for some things).
More and more APIs, such as low level TCP access, will eventually migrate to Java. But ther is no "universal" language, magically able to access any API written in any other language.I think you are missing the point. In order to write a firewall in Java, you have to have raw socket support - IE: be able to specify the data going over the transport. Java currently supports TCP and UDP, but does not support any others (IPX, ICMP, etc).
The reason these things are not available at the Java layer is because the underlying C code in the JVM is specifying the constants to pass to the socket library at the C level rather than letting the Java layer pass those parameters down. You can currently do it yourself by doing a bootstrap replacement for the JVM classes, or using a 3rd party library -- but you shouldn't need to. The underlying library should be rewritten as raw socket, and allow the existing libraries to be built as pure-java implementations on top of it.
The reason that raw sockets were not around to begin with was that everyone was afraid it was a security risk. It is unfortunate that in order to protect us, they keep us from writing security software.
As a side note, I think these two comments on the bug ( http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4727550 ) are interesting:
4093850 "ICMP protocol support a.k.a. PING applets" was a long
standing RFE seeking ICMP/raw sockets support. It attracted approximately
250 votes on the JDC. It became clear from the feedback to the RFE
that there were broadly two requirements :-
In about one month (from 2006-08-23 to 2006-09-20), we don't see enough input in the SDN forum thread for this RFE. Seems there's no enough interest for it.
If it "became clear" that people wanted this functionality, why post a brand new link somewhere and monitor it for one month to determine if anyone wanted the functionality. I didn't even know about this link until a friend mentioned that the bug had been updated.
So, enough of a rant. I think that if we could write a full-fledged software firewall in Java without using a 3rd party library or JNI, then we'd be on the right track for requirements.

ICMP - Grabbing Ping Requests

I know you can't send an ICMP packet from Java, but is there any way to monitor to see if they come in? I want to write a piece of code that says "You were pinged by ...", but can't see any way of doing this.
Thanks,
Mike

You can do ICMP pinging with Java, well through Java anyway. You need to write the pinging code in C (or some other native language) and compile the functions into a DLL. You can then call these methods through the JNI/RNI - whichever your mental faculties can cope with (bloody Microsoft). This is what I'm working on at the moment - works quite well, even if I do say so myself!
Windy

System still sends ping after set outbound traffic to block

hi friends
i win 2008 R2 , i found that when i set firewall state outbound traffic status to block (in All 3 profiles including domain, public, private), still system can ping other systems (although even there is no ICMPv4 echo request Allow rule).
where from this setting is applied? where from can we change this exception so that also ping (outbound ICMPv4 echo request) be blocked.
thanks in advanced

Hi,
According to your description, my understanding is that you want to block outbound ping packet.
I suggest you to new an outbound rule to block ping packet. Steps reference below:
In the Windows Firewall with Advanced Security console tree, select and then right-click
Outbound Rules, click New Rule.
On the Rule Type page, click
Custom, and then click Next.
On the Program page, click
All program, and the click Next.
On the Protocol and Ports page, in the
Protocol list, select ICMPv4 and then click
Next. (By default this will block all types of ICMP, or you can click
Customize to specify the type)
On the Scope page, choose the IP address which this rule reply to, and the click
Next.
On the Action page, click
Block the connection, and the click Next.
Select the profile and define a name for this rule, and click
Finish to save the rule.
After creating this rule, try to ping, check to see if this rule works.
Best Regards,
Eve Wang
Hi Eve
please read my question again more carefully.
i have not asked how to create an outbound rule to deny ping ! definitely i know that. my question is something else

There are no more endpoints available on Azure Website

I am just trying to setup a simple web app that pings a IP address and host it on Azure Websites. I have a standard website (not the free tier) and I have web sockets turn ON.
I am just sending a simple ping using the system.net.networkinformation.ping part of the .net api. It runs fine within VS.NET on my machine when deploying local. however when I publish to my azure website, and run it there I get
There are no more endpoints available from the endpoint mapper
I've tried looking on the azure configuration, the only obvious thing I noticed was making sure websockets was turned on. (and it is)
Any ideas? im sure it is some simple configuration and im just missing something? or are there certain things they do not allow from a Azure Website?
Thanks a bunch for looking at my question!
--Ryan

Hi,
I am afraid, Azure website doesn't support ping, if you need Inbound & Outbound ping, please vote this feedback:
http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet/suggestions/3346609-icmp-support-for-azure-websites-roles-cloud-serv
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

ASA 5505: unable to ping external hosts

Hi,
I have a LAN behind ASA 5505, interface NAT/PAT is configured.
External interface is configured for PPPoE.
Everything works fine except I cannot ping from a LAN PC external hosts. I can however ping external hosts from ASA itself. ICMP is allowed:
icmp permit any inside
icmp permit any outside
access-list outside_access_in extended permit icmp any any
Protocol inspections and fixups are default.
When I ping an external host 61.95.50.185 from the LAN host 10.2.32.68 I am getting the following in the log:
302020 61.95.50.185 10.2.32.68 Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
302020 61.95.50.185 202.xx.yy.zz Built ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
313004 Denied ICMP type=0, from laddr 61.95.50.185 on interface outside to 202.xx.yy.zz: no matching session
313001 61.95.50.185 Denied ICMP type=0, code=0 from 61.95.50.185 on interface outside
302021 61.95.50.185 202.xx.yy.zz Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 202.xx.yy.zz/1
302021 61.95.50.185 10.2.32.68 Teardown ICMP connection for faddr 61.95.50.185/0 gaddr 202.xx.yy.zz/1 laddr 10.2.32.68/512
Where 202.xx.yy.zz is IP of external interface of ASA.
This is a very simple setup that runs on a number of othe PIXes/ASAs and pings to external IP normally work just fine. I can't understand why ping replies are getting dropped on the interface?
Any help will be highly appreciated.
Thank you.
Alex

Alex / Kerry, you have couple of options for handling icmp outbound, either acl or icmp inspection :
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-group outside_access_in in interface outside
or icmp inspection instead of acl.
policy-map global_policy
class inspection_default
inspect icmp
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
HTH
Jorge

How do I block pings from the outside to the ASA 5505 outside interface?

I was asked to block pings from the internet to the outside interface of our ASA-5505 firewall. I found a post that said to enter "icmp deny any outside", however that does not do it.
I created an ACL to try and do the trick, also to no avail:
access-list outside_in extended permit icmp any any echo-reply
access-list outside_in in interface outside
access-group outside_in in interface outside
Anyone have a clue what I'm doing wrong? I'm not the firewall guy as you can tell. :/
Thanks in advance...
Block / Deny ICMP Echo (Ping) on Cisco ASA Outside Interface
Most networks that you protect with a Cisco ASA device, will probably want to deny ICMP (maybe not all ICMP types, but a lot of network admins will want to block ICMP Echo, etc.) on the outside interface. This will make the network harder to find through external enumeration, but not impossible.
ASA5505(config)#icmp deny any outside
You will deny ICMP on the outside interface, but if you include ICMP as a protocol in the default global policy map, you can ping from the inside to any host on the outside, and it will be permitted back through the ASA, as it knows about the previous ICMP “connection

You are allowing echo-reply, thus it will reply to a ping
try this ACL:
icmp deny any echo-reply outside
From:
https://supportforums.cisco.com/thread/223769
Eric

How to block Ping requests in Solaris 10

Hello all,
Could you pls let me know how to block icmp packets (ping) on solaris 10.
thanks a lot
tpiranav

are you familiar with ipf? it comes with solaris. check man ipf for some starter background if you are unfamiliar with it.

SQL firewall rule to restrict traffic from only one Azure PaaS website (cross-post from websites)

(This has also been posted on the websites forum)
Hi,
I have been asked to configure the firewall on the SQL PaaS instance to only allow traffic from a specified PaaS website that is within the same subscription. I can't see any way to set a static internal IP for the website, is there a way to identify it
for the purpose of the SQL Database firewall rule?
Thanks,
Karina

You're right, KG! Sorry.
This article mentions a reserved-IP:
https://msdn.microsoft.com/en-us/library/azure/dn690120.aspx
It specifically mentions your scenario:
You want to ensure that outbound traffic from Azure uses a predictable IP address. You may have your firewall configured to allow only traffic from specific IP addresses. By reserving a VIP, you will know the source IP address and won’t
have to update your firewall rules due to a VIP change. This is especially helpful if you want to configure your firewall before you create your cloud service.
The only thing I'm not confident on would be if it works with Azure Websites - it does mention cloud services, though. If you have further questions, I can give a shot myself and see if I can get a working example.

Pgl and icmp [solved]

Greetings,
PGL seems to be blocking icmp on my local network because of the bogon rules. I can't seem to find anything that refers to icmp or ping in the defaults file or on the pgl wiki on sourceforge. Does anyone know how to allow icmp from an IP range in pgl?
thanks!
Adam
[edit]
i found documentation that allows for custom iptables rules for pgl (peerguardian linux) that anything in /etc/pgl that ends with insert.sh will be run so all i needed to do was put the following rule in and my local pings were allowed:
iptables -I pgl_in -p icmp -m icmp --icmp-type any -s 192.168.1.0/24 -j ACCEPT
[/edit]
Last edited by adambot (2013-01-05 02:15:05)

lucke wrote:
Are you using the same program under both systems?
You might have to symlink some data/config directories (the one with program's data about downloaded files).
thanks, solved the problem.
the user profiles dir in wine is under windows dir instead of "documents and setings"
thanks luke

SNMP vs ICMP For Monitoring

We're using a layer 3 routed access model. In our monitoring systems, we typically use ICMP to ping the access layer end of the /30 link. It's simple, it works, but I'm just wondering if anyone has any opinions on whether it is better to do a ping or to query the status of the uplink interface via SNMP. Our system polls once a minute, so for each device we're typically looking at two SNMP queries or two pings per minute. Once an hour the system checks for ifindex updates.
I can see advantages and disadvantages either way. My inclination would be to make it all SNMP-based. But I'd be interested in opinions for or against.

And you hit it -- I created an instance of Nagios to monitor our network. I was originally using ICMP, but I'm having second thoughts.
One of the advantages of SNMP is you can report back the status of the port -- is it up, is it down, is it admin down. The disadvantage is if the port gets changed for whatever reason, now you have to go and change the monitoring. But if you test by IP address, it's good either way.
But if you test by IP address and someone else has duplicated it elsewhere in the network (never happens, right??), then if the uplink port goes down, you don't know it.
So I'm just looking for how others feel about this value judgment. As I mentioned, I'm leaning toward converting everything to SNMP ifOperStatus/ifAdminStatus queries.

Linksys WRV200 pinging internal LAN

I'm having this weird problem with my WRV200 router (ip 172.18.12.16) that has happen now for the third time. The router broadcasts ICMP packets to my internal LAN. The source is the router itself. The only fix at this time is to reboot the router but it does come back at no specific time. Has anyone seen this problem? The router does have the latest firmware available, and has the default settings(more or less).
No. Time Source Destination Protocol Info
1 0.000000 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 1 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
2 0.399973 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 2 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
3 0.809906 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 3 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
4 0.969284 Cisco-Li_06:d3:64 Spanning-tree-(for-bridges)_00 STP Conf. Root = 32768/00:18:39:06:d3:64 Cost = 0 Port = 0x8001
Frame 4 (60 bytes on wire, 60 bytes captured)
IEEE 802.3 Ethernet
Logical-Link Control
Spanning Tree Protocol
No. Time Source Destination Protocol Info
5 0.999938 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 5 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
6 1.399928 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 6 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
7 1.810387 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 7 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
8 1.999827 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 8 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
9 2.399864 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 9 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
10 2.809766 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 10 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol
No. Time Source Destination Protocol Info
11 2.969142 Cisco-Li_06:d3:64 Spanning-tree-(for-bridges)_00 STP Conf. Root = 32768/00:18:39:06:d3:64 Cost = 0 Port = 0x8001
Frame 11 (60 bytes on wire, 60 bytes captured)
IEEE 802.3 Ethernet
Logical-Link Control
Spanning Tree Protocol
No. Time Source Destination Protocol Info
12 2.999805 172.18.12.16 172.18.255.255 ICMP Echo (ping) request
Frame 12 (98 bytes on wire, 98 bytes captured)
Ethernet II, Src: Cisco-Li_06:d3:64 (00:18:39:06:d3:64), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol, Src: 172.18.12.16 (172.18.12.16), Dst: 172.18.255.255 (172.18.255.255)
Internet Control Message Protocol

I'm noticing the same behavior with my WRV200. If I ping the router from a wired or wireless connection, I get an 85% loss rate. The 15% that do reply average close to 2,000ms!!! I install Microsoft Network Monitor 3.1 and captured over 40,000 ICMP broadcasts coming from the linksys router in a very short period of time ~10 to 15 minutes. If I power cycle the router, everything returns to normal...for a day or two that is. Linksys support only seem to want "reset" your router or change the MTU to a different value. Class A support! I'm still researching and will update if I don't end up buying another brand.

Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues

We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
Any insight would be greatly appreciated.
I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
Thanks much,
Justin

Javier,
I logged into the ASA last time the VPN went down. I issued the following commands:
debug crypto isakmp 190
debug crypto ipsec 190
capture outside-cap interface outside match udp any any
I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
show capture outside | include 500
and also got nothing. So I issued the following command:
ping 4.2.2.2
Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
   1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
   2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
   3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
   4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
   5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
   6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
   7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
   8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
   9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100    1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
   2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
   3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
   4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
   5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
   6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
   7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
   8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
   9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100
It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
Once again, any insight would be greatly appreciated.
Thanks,
Justin

Bridge connection problem.

I'm trying to connect a bridge connection between my laptop and USB connected android phone using this guide:
http://blog.mycila.com/2010/06/reverse- … id-22.html
My internet interface is wlan0, not eth0.
However, I run into problem:
$ sudo ifconfig wlan0 0.0.0.0
$ sudo ifconfig usb0 0.0.0.0
$ sudo brctl addbr br0
$ sudo brctl addif br0 wlan0
can't add wlan0 to bridge br0: Operation not supported
I also tried doing it this way:
On PC:
sudo ifconfig usb0 192.168.42.1
# enable routing
sysctl net.ipv4.ip_forward=1
# enable nat
iptables -t nat -I POSTROUTING -s 192.168.42.129 -j MASQUERADE -o wlan0
And issue this command on the phone:
route add -net default gw 192.168.42.1
But I can't even ping localhost from the phone
# ping 192.168.42.129
PING 192.168.42.129 (192.168.42.129) 56(84) bytes of data.
^C
--- 192.168.42.129 ping statistics ---
161 packets transmitted, 0 received, 100% packet loss, time 160105ms
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
^C
--- localhost ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
# busybox ping localhost
PING localhost (127.0.0.1): 56 data bytes
Last edited by Lockheed (2013-01-28 11:37:21)

Ok, so here's my conf:
# You should put this config-file in /etc/arno-iptables-firewall/ #
# --------------------------- Configuration file ------------------------------
# -= Arno's iptables firewall =-
# Single- & multi-homed firewall script with DSL/ADSL support
# (C) Copyright 2001-2012 by Arno van Amersfoort
# Co-authors : Lonnie Abelbeck & Philip Prindeville
# Homepage : http://rocky.eld.leidenuniv.nl/
# Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
# (note: you must remove all spaces and substitute the @ and the .
# at the proper locations!)
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# version 2 as published by the Free Software Foundation.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
# You should have received a copy of the GNU General Public License along with
# this program; if not, write to the Free Software Foundation Inc., 59 Temple
# Place - Suite 330, Boston, MA 02111-1307, USA.
# External (internet) interface settings #
# The external interface(s) that will be protected (and used as internet
# connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
# modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
# be space separated.
EXT_IF="eth0 wlan0"
# Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
# and/or (IPv6) DHCPv6 (from your ISP)
EXT_IF_DHCP_IP=1
# (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You
# should only use this if you for example have a corporate network and/or
# running a DHCP server on your external(!) interface. Home users should
# normally NOT touch this setting. Multiple subnets should be space separated.
# Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
#EXTERNAL_NET=""
# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
# on your external subnet. You only need to set this option if you want to use
# the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
# address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses should be space separated.
#EXT_NET_BCAST_ADDRESS=""
# Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
# on the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. Don't forget to
# configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
EXTERNAL_DHCP_SERVER=0
# Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
# address on the external(!) interface. Note that you don't need this for internal
# subnets, as for these nets everything is accepted by default. (IPv6 Only)
EXTERNAL_DHCPV6_SERVER=0
# Internal (LAN) interface settings #
# Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
# should be space separated. Remark this if you don't have any internal network
# interfaces. Note that by default ALL traffic is accepted from these
# interfaces.
INT_IF="usb0 usb1"
# Specify here the internal IPv4 subnet(s) which is/are connected to the
# internal interface(s). For multiple interfaces(!) you can either specify
# multiple subnets here or specify one big subnet for all internal interfaces.
# Note that this variable is mainly used for antispoofing.
INTERNAL_NET="10.1.3.0/24"
# Set this variable to 0 to disable antispoof checking for the internal nets
# (EXPERT SETTING!)
INTERNAL_NET_ANTISPOOF=1
# (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
# on your internal subnet. You only need to set this option if you want to use
# the MAC filter AND you use a non-standard broadcast address
# (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
# this empty should work fine. Multiple addresses (if you have multiple
# internal nets) should be space separated.
#INT_NET_BCAST_ADDRESS=""
# DMZ (aka DeMilitarized Zone) settings #
# Put in the following variable the network interfaces that are DMZ-classified.
# You can also use this interface if you want to shield your Wireless network
# from your LAN.
DMZ_IF=""
# Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
# For multiple interfaces(!) you can either specify multiple subnets here or
# specify one big subnet for all DMZ interfaces.
DMZ_NET=""
# Set this variable to 0 to disable antispoof checking for the dmz nets
# (EXPERT SETTING!)
DMZ_NET_ANTISPOOF=1
# NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) #
# Enable this if you want to perform NAT (masquerading) for your internal
# network (LAN) (eg. share your internet connection with your internal
# net(s) connected to eg. INT_IF)
NAT=1
# (EXPERT SETTING!) In case you would like to use SNAT instead of
# MASQUERADING then uncomment and set the IP or IPs here of your static
# external address(es). Note that when multiple IPs are specified, SNAT
# multiroute is enabled (load balancing over multiple external (internet)
# interfaces, check the README file for more info). Note that the order of IPs
# should match the order of interfaces (they belong to) in $EXT_IF!
#NAT_STATIC_IP="193.2.1.1"
# (EXPERT SETTING!) Use this variable only if you want specific subnets or
# hosts to be able to access the internet. When no value is specified, your
# whole internal net will have access. In both cases it's obviously only
# meaningful when NAT is enabled. Note that you can also use this variable if
# you want to use NAT for your DMZ.
NAT_INTERNAL_NET="$INTERNAL_NET"
# (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
# or protocols on your gateway using NAT forwards.
NAT_LOCAL_REDIRECT=0
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
# an internal client through (D)NAT. Note that you can also use these
# variables to forward ports to DMZ hosts.
# TCP/UDP form:
# "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
# {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
# IP form:
# "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
# {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
# TCP/UDP port forward examples:
# Simple (forward port 80 to internal host 192.168.0.10):
# NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
# Advanced (forward port 20 & 21 to 192.168.0.10 and
# forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
# NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
# IP protocol forward example:
# (forward protocols 47 & 48 to 192.168.0.10)
# NAT_FORWARD_IP="47,48>192.168.0.10"
# NOTE 1: {~port} is optional. Use it to redirect a specific port to a
# different port on the internal client.
# NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
# (inet) IP addresses.
# (IPv4 Only)
NAT_FORWARD_TCP=""
NAT_FORWARD_UDP=""
NAT_FORWARD_IP=""
# TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
# from the gateway to an internal client. Note that you can also use these
# variables to forward ports to DMZ hosts.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1{~port} \
# SRCIP3,...>DESTIP2{~port}"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
# SRCIP3,...>DESTIP2~PROTO"
# TCP/UDP port forward examples:
# Simple (IPv6 forward port 80 to internal host 2001:db8::2):
# INET_FORWARD_TCP="::/0>2001:db8::2~80"
# Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
# INET_FORWARD_TCP="0/0>192.168.0.10~80"
# Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
# INET_FORWARD_UDP="2000::/3>2001:db8::/32"
# IP protocol forward example:
# (forward protocol 58 (ICMPv6) to 2001:db8::2)
# INET_FORWARD_IP="::/0>2001:db8::2~58"
# (IPv6 and non-NAT'ed IPv4 Only)
INET_FORWARD_TCP=""
INET_FORWARD_UDP=""
INET_FORWARD_IP=""
# General settings #
# (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or
# 'whereis iptables' to manually locate it), required for (default) IPv4 support
IP4TABLES="/usr/sbin/iptables"
# (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or
# 'whereis ip6tables' to manually locate it), required for IPv6 support
IP6TABLES="/usr/sbin/ip6tables"
# (EXPERT SETTING!) Location of the environment file
ENV_FILE="/usr/share/arno-iptables-firewall/environment"
# (EXPERT SETTING!) Location of plugin binary & config files
PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
# Most people don't want to get any firewall logs being spit to the console.
# This option makes the kernel ring buffer only log messages with level
# "panic".
DMESG_PANIC_ONLY=1
# Enable this if you want TOS mangling (RFC)
MANGLE_TOS=0
# Enable this if you want to set the maximum packet size via the
# Maximum Segment Size(through MSS field)
SET_MSS=1
# Enable this if you want to increase the TTL value by one in the prerouting
# chain. This hides the firewall when performing eg. traceroutes to internal
# hosts. (IPv4 only!)
TTL_INC=0
# (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
# the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
# (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
# support. Don't mess with this unless you really know what you are doing!
# (IPv4 only!)
#PACKET_TTL="64"
# Enable this to support the IRC-protocol.
USE_IRC=0
# (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
# Enable it to allow the use of protocols like UPnP. Note that it *could* be
# less secure.
LOOSE_FORWARD=0
# (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be
# forwarded between interfaces. (IPv6 Only)
FORWARD_LINK_LOCAL=0
# (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with
# Routing Header Type 0. Enabled by default. (IPv6 Only)
IPV6_DROP_RH_ZERO=1
# (EXPERT SETTING!) Enable this if you want to drop packets originating from a
# private address.
# Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1
RESERVED_NET_DROP=0
# (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
# ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
DRDOS_PROTECT=0
# Enable (1) if you want to enable mixed IPv4/IPv6 traffic support
# Disable (0) if you want to enable only IPv4 traffic support
IPV6_SUPPORT=0
# This option fixes problems with SMB broadcasts when using nmblookup
NMB_BROADCAST_FIX=0
# Set this to 0 to suppress "assuming module is compiled in kernel" messages
COMPILED_IN_KERNEL_MESSAGES=1
# (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
# chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
# when there are no rule(s) available (yet), the packet will be DROPPED. In
# practice this rule only does something while the firewall is starting. Once
# it's started and all rules are in place, the default policy doesn't do
# anything anymore. People that use eg. NFS and let their clients boot from NFS
# (diskless client systems) probably want to disable this option to fix
# "NFS server not responding" etc. errors on their clients.
DEFAULT_POLICY_DROP=1
# (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
# traffic should be ACCEPTED. (multiple(!) interfaces should be space
# separated). Be warned that anything TO and FROM these interfaces is allowed
# (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
# (internet)! And of course putting one of your external interfaces here would
# be extremely stupid.
TRUSTED_IF=""
# (EXPERT SETTING!) Put here the interfaces that should trust
# each other (accept forward traffic). You can use | (piping-sign) to create
# seperate interface groups. And (again) of course putting one of your external
# interfaces here would be extremely stupid.
IF_TRUSTS=""
# Location of the custom iptables rules file (if any).
CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
# Location of the local (user/global) configuration file, if used
LOCAL_CONFIG_FILE=""
# (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
# iptables-restore to add rules in batch rather than one-by-one. Much slower
# when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
DISABLE_IPTABLES_BATCH=0
# (EXPERT SETTING!) Set this (to 1) to enable tracing
TRACE=0
# Logging options - All logging is rate limited to prevent log flooding #
# Enable logging for explicitly blocked hosts.
BLOCKED_HOST_LOG=1
# Enable logging for various stealth scans (reliable).
SCAN_LOG=1
# Enable logging for possible stealth scans (less reliable).
POSSIBLE_SCAN_LOG=1
# Enable logging for TCP-packets with bad flags.
BAD_FLAGS_LOG=1
# Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
INVALID_TCP_LOG=0
# Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
INVALID_UDP_LOG=0
# Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce
# INVALID packets being logged because of lost (legimate) connections. When
# debugging any problems, you should enable it (temporarily)!
INVALID_ICMP_LOG=0
# Enable (1) logging of source IPs with reserved or private addresses.
RESERVED_NET_LOG=0
# Enable logging of fragmented packets.
FRAG_LOG=1
# Enable logging of denied local (OUTPUT) connections.
INET_OUTPUT_DENY_LOG=1
# Enable logging of denied LAN output (FORWARD) connections.
LAN_OUTPUT_DENY_LOG=1
# Enable logging of denied LAN INPUT connections.
LAN_INPUT_DENY_LOG=1
# Enable logging of denied DMZ output (FORWARD) connections.
DMZ_OUTPUT_DENY_LOG=1
# Enable logging of denied DMZ input (FORWARD) connections.
DMZ_INPUT_DENY_LOG=1
# Enable logging of dropped FORWARD packets.
FORWARD_DROP_LOG=1
# Enable logging of dropped IPv6 Link-Local forwarded packets.
# Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)
LINK_LOCAL_DROP_LOG=1
# Enable logging of dropped ICMP-request packets (ping).
ICMP_REQUEST_LOG=1
# Enable logging of dropped "other" ICMP packets.
ICMP_OTHER_LOG=1
# Enable logging of normal connection attempts to privileged TCP ports.
PRIV_TCP_LOG=1
# Enable logging of normal connection attempts to privileged UDP ports.
PRIV_UDP_LOG=1
# Enable logging of normal connection attempts to unprivileged TCP ports.
UNPRIV_TCP_LOG=1
# Enable logging of normal connection attempts to unprivileged UDP ports.
UNPRIV_UDP_LOG=1
# Enable logging of IPv4 IGMP packets
IGMP_LOG=1
# Enable logging of normal connection attempts to "other-IP"-protocols (non
# TCP/UDP/ICMP/IGMP).
OTHER_IP_LOG=1
# Enable logging for ICMP flooding.
ICMP_FLOOD_LOG=1
# (EXPERT SETTING!) The location of the dedicated firewall log file. When
# enabled the firewall script will also log start/stop etc. info to this file
# as well. Note that in order to make this work, you should also configure
# syslogd to log firewall messages to this file (see LOGLEVEL below for further
# info).
#FIREWALL_LOG="/var/log/firewall.log"
# (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall.log, but you have to configure
# syslogd accordingly (see included syslogd.conf examples).
LOGLEVEL="info"
# Put in the following variables which hosts you want to log certain incoming
# connection attempts for.
# TCP/UDP port format (LOG_HOST_INPUT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (LOG_HOST_INPUT_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
LOG_HOST_INPUT_TCP=""
LOG_HOST_INPUT_UDP=""
LOG_HOST_INPUT_IP=""
# Put in the following variables which hosts you want to log certain outgoing
# connection attempts for.
# TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (LOG_HOST_OUTPUT_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
LOG_HOST_OUTPUT_TCP=""
LOG_HOST_OUTPUT_UDP=""
LOG_HOST_OUTPUT_IP=""
# Put in the following variables which services you want to log incoming
# connection attempts for.
LOG_INPUT_TCP=""
LOG_INPUT_UDP=""
LOG_INPUT_IP=""
# Put in the following variables which services you want to log outgoing
# connection attempts for.
LOG_OUTPUT_TCP=""
LOG_OUTPUT_UDP=""
LOG_OUTPUT_IP=""
# Put in the following variable which hosts you want to log incoming connection
# (attempts) for.
LOG_HOST_INPUT=""
# Put in the following variable which hosts you want to log outgoing connection
# (attempts) to.
LOG_HOST_OUTPUT=""
# sysctl based settings (EXPERT SETTINGS!) #
# Enable for synflood protection (through /proc/.../tcp_syncookies).
SYN_PROT=1
# Enable this to reduce the ability of others DOS'ing your machine.
REDUCE_DOS_ABILITY=1
# Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
ECHO_IGNORE=0
# Enable to log packets with impossible addresses to the kernel log.
LOG_MARTIANS=0
# Only disable this if you're NOT using forwarding (required for NAT etc.) for
# increased security.
# Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.
IP_FORWARDING=1
# (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
# you do not use autoconf to obtain your IPv6 address.
# Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
IPV6_AUTO_CONFIGURATION=1
# Enable if you want to accept ICMP redirect messages. Should be set to "0" in
# case of a router.
ICMP_REDIRECT=0
# Enable/modify this if you want to be a able to handle a larger (or smaller)
# number of simultaneous connections. For high traffic machines I recommend to
# use a value of at least 16384 (note that a higher value (obviously) also uses
# more memory).
CONNTRACK=16384
# Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
# as some routers are still not compatible with this.
ECN=0
# Enable to drop connections from non-routable IPs, eg. prevent source
# routing. By default the firewall itself also provides rules against source
# routing. Note than when you use eg. VPN (Freeswan), you should probably
# disable this setting.
RP_FILTER=1
# Protect against source routed packets. Attackers can use source routing to
# generate traffic pretending to be from inside your network, but which is
# routed back along the path from which it came, namely outside, so attackers
# can compromise your network. Source routing is rarely used for legitimate
# purposes, so normally you should always leave this enabled(1)!
SOURCE_ROUTE_PROTECTION=1
# Here we set the local port range (ports from which connections are
# initiated from our site). Don't mess with this unless you really know what
# you are doing!
LOCAL_PORT_RANGE="32768 61000"
# Here you can change the default TTL used for sending packets. The value
# should be between 10 and 255. Don't mess with this unless you really know
# what you are doing!
DEFAULT_TTL=64
# In most cases pmtu discovery is ok, but in some rare cases (when having
# problems) you might want to disable it.
NO_PMTU_DISCOVERY=0
# Firewall policies for the LAN (EXPERT SETTINGS!) #
# LAN_xxx = LAN->localhost(this machine) input access rules #
# Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
# default policy for this chain is accept (unless denied through #
# LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
# Enable this to allow for ICMP-requests(ping) from your LAN
LAN_OPEN_ICMP=1
# Put in the following variables the TCP/UDP ports or IP protocols TO
# (remote end-point) which the LAN hosts are permitted to connect to.
LAN_OPEN_TCP=""
LAN_OPEN_UDP=""
LAN_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which LAN hosts are NOT permitted to connect to.
LAN_DENY_TCP=""
LAN_DENY_UDP=""
LAN_DENY_IP=""
# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which certain LAN hosts are
# permitted to connect to.
# TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
LAN_HOST_OPEN_TCP=""
LAN_HOST_OPEN_UDP=""
LAN_HOST_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which certain LAN hosts are NOT permitted to connect to.
# TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (LAN_INPUT_HOST_DENY_xxx):
# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
LAN_HOST_DENY_TCP=""
LAN_HOST_DENY_UDP=""
LAN_HOST_DENY_IP=""
# LAN_INET_xxx = LAN->internet access rules (forward) #
# Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT #
# used, the default policy for this chain is accept (unless denied #
# through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
# Enable this to allow for ICMP-requests(ping) for LAN->INET
LAN_INET_OPEN_ICMP=1
# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which the LAN hosts are
# permitted to connect to via the external (internet) interface.
LAN_INET_OPEN_TCP=""
LAN_INET_OPEN_UDP=""
LAN_INET_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which the LAN hosts are NOT permitted to connect to
# via the external (internet) interface. Examples of usage are for blocking
# IRC (TCP 6666:6669) for the internal network.
LAN_INET_DENY_TCP=""
LAN_INET_DENY_UDP=""
LAN_INET_DENY_IP=""
# Put in the following variables which LAN hosts you want to allow to certain
# hosts/services on the internet. By default all services are allowed.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
# TCP/UDP examples:
# Simple:
# (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced:
# (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
# allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
# LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
# IP protocol example:
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
# LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
LAN_INET_HOST_OPEN_TCP=""
LAN_INET_HOST_OPEN_UDP=""
LAN_INET_HOST_OPEN_IP=""
# Put in the following variables which DMZ hosts you want to deny to certain
# hosts/services on the internet.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
# TCP/UDP examples:
# Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
# deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
# LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
# IP protocol example:
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
# LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
LAN_INET_HOST_DENY_TCP=""
LAN_INET_HOST_DENY_UDP=""
LAN_INET_HOST_DENY_IP=""
# Firewall policies for the DMZ (EXPERT SETTINGS!) #
# DMZ_xxx = DMZ->localhost(this machine) input access rules #
# Enable this to allow ICMP-requests(ping) from the DMZ
DMZ_OPEN_ICMP=1
# Put in the following variables which DMZ hosts are permitted to connect to
# certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
# services are blocked for DMZ hosts.
DMZ_OPEN_TCP=""
DMZ_OPEN_UDP=""
DMZ_OPEN_IP=""
# Put in the following variables which DMZ hosts you want to allow for certain
# services. By default all (local) services are blocked for DMZ hosts.
# TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (DMZ_HOST_OPEN_IP):
# "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
DMZ_HOST_OPEN_TCP=""
DMZ_HOST_OPEN_UDP=""
DMZ_HOST_OPEN_IP=""
# INET_DMZ_xxx = Internet->DMZ access rules (forward) #
# Note: As of Version 2.0.0 the default policy has changed to DROP #
# Previous to Version 2.0.0 the default policy was ACCEPT #
# Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
INET_DMZ_OPEN_ICMP=0
# Put in the following variables which INET hosts are permitted to connect to
# certain the TCP/UDP ports or IP protocols in the DMZ.
INET_DMZ_OPEN_TCP=""
INET_DMZ_OPEN_UDP=""
INET_DMZ_OPEN_IP=""
# Put in the following variables which INET hosts are NOT permitted to connect
# to certain the TCP/UDP ports or IP protocols in the DMZ.
INET_DMZ_DENY_TCP=""
INET_DMZ_DENY_UDP=""
INET_DMZ_DENY_IP=""
# Put in the following variables which INET hosts you want to allow to certain
# hosts/services on the DMZ net. By default all services are dropped.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
# TCP/UDP examples:
# Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
# allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
# INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
# IP protocol example:
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
# INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
INET_DMZ_HOST_OPEN_TCP=""
INET_DMZ_HOST_OPEN_UDP=""
INET_DMZ_HOST_OPEN_IP=""
# Put in the following variables which INET hosts you want to deny to certain
# hosts/services on the DMZ net.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
# TCP/UDP examples:
# Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
# deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
# INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
# IP protocol example:
# (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
# INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
INET_DMZ_HOST_DENY_TCP=""
INET_DMZ_HOST_DENY_UDP=""
INET_DMZ_HOST_DENY_IP=""
# DMZ_INET_xxx = DMZ->internet access rules (forward) #
# Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT #
# used, the default policy for this chain is accept (unless denied #
# through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
# Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
DMZ_INET_OPEN_ICMP=1
# Put in the following variables the TCP/UDP ports or IP
# protocols TO (remote end-point) which the DMZ hosts are
# permitted to connect to via the external (internet) interface.
DMZ_INET_OPEN_TCP=""
DMZ_INET_OPEN_UDP=""
DMZ_INET_OPEN_IP=""
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote
# end-point) which the DMZ hosts are NOT permitted to connect to
# via the external (internet) interface. Examples of usage are for blocking
# IRC (TCP 6666:6669) for the internal network.
DMZ_INET_DENY_TCP=""
DMZ_INET_DENY_UDP=""
DMZ_INET_DENY_IP=""
# Put in the following variables which DMZ hosts you want to allow to certain
# hosts/services on the internet. By default all services are allowed.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~sprotocol"
# TCP/UDP examples:
# Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
# allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
# DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
# IP protocol example:
# (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
# DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
DMZ_INET_HOST_OPEN_TCP=""
DMZ_INET_HOST_OPEN_UDP=""
DMZ_INET_HOST_OPEN_IP=""
# Put in the following variables which DMZ hosts you want to deny to certain
# hosts/services on the internet.
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
# TCP/UDP examples:
# Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
# Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
# deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
# DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
# IP protocol example:
# (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
DMZ_INET_HOST_DENY_TCP=""
DMZ_INET_HOST_DENY_UDP=""
DMZ_INET_HOST_DENY_IP=""
# DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
# Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
DMZ_LAN_OPEN_ICMP=0
# Put in the following variables which DMZ hosts you want to allow to certain
# hosts/services on the LAN (net).
# TCP/UDP form:
# "SRCIP1,SRCIP2,...>DESTIP1~port \
# SRCIP3,...>DESTIP2~port"
# IP form:
# "SRCIP1,SRCIP2,...>DESTIP1~protocol \
# SRCIP3,...>DESTIP2~protocol"
# TCP/UDP examples:
# Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
# Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
# allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
# 1.2.3.4):
# DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
# IP protocol example:
# (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
# DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
# NOTE 1: If no SRCIPx is specified, any source host is used
# NOTE 2: If no port is specified, any port is used
DMZ_LAN_HOST_OPEN_TCP=""
DMZ_LAN_HOST_OPEN_UDP=""
DMZ_LAN_HOST_OPEN_IP=""
# Firewall policies for the external (inet) interface (default policy = drop) #
# Put in the following variable which hosts (subnets) you want have full access
# via your internet (EXT_IF) connection(!). This is especially meant for
# networks/servers which use NIS/NFS, as these protocols require all ports
# to be open.
# NOTE: Don't mistake this variable with the one used for internal nets.
FULL_ACCESS_HOSTS=""
# Put in the following variable which TCP/UDP ports you don't want to
# see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
# to make this properly work you also need to set "EXTERNAL_NET"!
BROADCAST_TCP_NOLOG=""
#BROADCAST_UDP_NOLOG="67 68"
# Put in the following variables which hosts you want to allow for certain
# services.
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (HOST_OPEN_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# ICMP protocol format (HOST_OPEN_ICMP):
# "host1 host2 ...."
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services (and logged).
# to DENY(DROP) for certain hosts.
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (HOST_DENY_IP):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# ICMP protocol format (HOST_DENY_ICMP):
# "host1 host2 ...."
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
# Put in the following variables which hosts you want to DENY(DROP) for certain
# services but NOT logged.
# TCP/UDP port format (HOST_DENY_xxx_NOLOG):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (HOST_DENY_IP_NOLOG):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
# ICMP protocol format (HOST_DENY_ICMP_NOLOG):
# "host1 host2 ...."
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
HOST_DENY_ICMP_NOLOG=""
# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain TCP/UDP ports.
# TCP/UDP port format (HOST_REJECT_xxx):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
# Put in the following variables which hosts you want to REJECT (instead of
# DROP) for certain services but NOT logged.
# TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
HOST_REJECT_TCP_NOLOG=""
HOST_REJECT_UDP_NOLOG=""
# Put in the following variables which services THIS machine is NOT
# permitted to connect TO (remote end-point) via the external (internet)
# interface. For example for blocking IRC (tcp 6666:6669).
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
# Put in the following variables to which hosts THIS machine is NOT
# permitted to connect TO for certain services (remote end-point)
# via the external (internet) interface. In principle you can also
# use this to put your machine in a "virtual-DMZ" by blocking all traffic
# to your local subnet.
# TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
# "host1,host2~port1,port2 host3,host4~port3,port4 ..."
# IP protocol format (HOST_DENY_IP_OUTPUT):
# "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
HOST_DENY_TCP_OUTPUT=""
HOST_DENY_UDP_OUTPUT=""
HOST_DENY_IP_OUTPUT=""
# Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access
# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
OPEN_ICMP=0
# Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access
# Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
OPEN_ICMPV6=1
# Put in the following variables which ports or IP protocols you want to leave
# open to the whole world.
OPEN_TCP=""
OPEN_UDP=""
OPEN_IP=""
# Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
# everyone (and logged). Also use these variables if you want to log connection
# attempts to these ports from everyone (also trusted/full access hosts).
# In principle you don't need these variables, as everything is already blocked
# (denied) by default, but just exists for consistency.
DENY_TCP=""
DENY_UDP=""
# Put in the following variables which ports you want to DENY(DROP) for
# everyone but NOT logged. This is very useful if you have constant probes on
# the same port(s) over and over again (code red worm) and don't want your logs
# flooded with it.
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone (and logged).
REJECT_TCP=""
REJECT_UDP=""
# Put in the following variables the TCP/UDP ports you want to REJECT (instead
# of DROP) for everyone but NOT logged.
REJECT_TCP_NOLOG=""
REJECT_UDP_NOLOG=""
# Put in the following variable which hosts you want to block (blackhole,
# dropping every packet from the host).
BLOCK_HOSTS=""
# Blocked Hosts are by default blocked in both Inbound and Outbound directions.
# If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
BLOCK_HOSTS_BIDIRECTIONAL=1
# Uncomment & specify here the location of the file that contains a list of
# hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
# w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
# should always contain a carriage-return (enter)!
#BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
Service status:
$ 0.status arno-iptables-firewall.service
arno-iptables-firewall.service - A secure stateful firewall for both single and multi-homed machine
Loaded: loaded (/usr/lib/systemd/system/arno-iptables-firewall.service; enabled)
Active: active (exited) since Tue 2013-02-19 12:45:30 CET; 38s ago
Main PID: 7781 (code=exited, status=0/SUCCESS)
CGroup: name=systemd:/system/arno-iptables-firewall.service
which is a bit confusing as it says 'active' and 'exited' at the same time...
and then I get into my phone through adb shell, and I run:
root@android:/ # su
root@android:/ # netcfg usb0 dhcp
action 'dhcp' failed (Timer expired)
So apparently something is wrong,

Running ISQL Plus over a home network

I have a small wireless home network (3 machines), and installed Oracle 10g on one machine. ISQL works fine on this machine. However, I would like to be able to run queries from the other machines using ISQL PLUS.
Have tried, //<<machinename>>:5560/isqlplus, but this returns a message that the requested page cannot be found.
Ive pinged the database host machine from a second machine: ping <<machine name>>, and got a reply but when I pinged the port on the host machine: Ping <<machine name>>:5560, I got no reply. How do I solve communication with this port.
Any assistance appreciated.
JH

Ping <>:5560, I got no reply.Pinging port is not possible. Btw you can't use somthing what is using ICMP protocol (ping) for testing of TCP connection. So use the telnet command for testing of connection.
P.S: Wrong forum (section) for this type of problem.

ICMP, outbound Ping on Azure VM

Similar Messages

Maybe you are looking for