Outbound ping or traceroute not working

By Default this works.
Green -> Firewall->net ping and traceroute service ,direction outbound.
I am try to lock down the firewall from default allow all green outbound.
I changed default policy from allow to not allow [drop]
I add all types of icmp outbound but ping and traceroute not working.
If I create a rule ,Green all services outbound ,ping and traceroute works.
What am I missing here.
Thanks for your assistance.

For users who want more information : default policy adjusted and rules added for outbound.
The reason for this ,I have some devices who need to be ping and traceroute from my Green for troubleshooting and also do not want to open all 65535 ports outbound.So I limited.
Please let me know if more information is needed.

@itfordave

Hi Dave

Welcome to the NethServer community!

Saw your message…

I’m missing some info here…

Firewall: Is NethServer your firewall, or do you have another box as firewall?

-> If you have another box as firewall, no changes are needed on your NethServer.

My 2 cents
Andy

Thanks for your response.NethServer is my firewall . By Default it works . I just want to make more secure.

Blocking outgoing ports (esp. on a home lan) isn’t really making things more secure.

A LOT of client Apps use (almost random) Ports outgoing.
eg Zoom, Skype
Any form of VoIP will use 10’000-20’000 Ports for the so called SIP RTP (The actual VoIP communications, SIP is the signalling port…).

Also most TCP/IP adresses COME from a random port, just the target is a well known port.
Even your browser - most likely - also uses a random outgoing port, accessing some webserver on port 80 or 443…
Mail is another typical one…

If you do not want for example your Printer reaching to the Internet (Calling home!), then just don’t enter in a gateway on the printer (If manual IP) AND block Outgoing coming from the Printer’s IP (on the Firewall).

My 2 cents

Are we talking about traceroute on Windows or on UN*X? (Not the same, one uses ICMP, the other UDP, AFAIK).

Why block outward ping from your devices (PCs)?

I block a whole device (printer, network port, etc), if I don’t want it “going out”.

Note: I do not use the firewall in NethServer, I use a hardware box (OPNsense), at home and at most of my clients.
I myself am well familiar with Checkpoint, Sonicwall, Cisco, ZyWall and Juniper (Among others).

I personally often need to “ping out”, as I am a network consultant, so I don’t bother with blocking stuff like ping…

My 2 cents
Andy

If you know shorewall, you can edit the e-smith templates, AFAIK most config stuff of NethServer, like it’s predecessor are stored there…

You can copy over the basis /etc/e-smith/templates/etc/shorewall to
/etc/e-smith/templates-custom/etc/shorewall
(Only what you need to change!)

after that:

expand-template /etc/shorewall/ YOUR-CHANGED-FILE

My 2 cents
Andy

I think that is the direction . I read in the manuals about that ,but I am currently finding out.I saw it ,but thought ,it was for a particular user.

@itfordave

Don’t quite follow… ?

If you know shorewall, you can edit the e-smith templates, AFAIK most config stuff of NethServer, like it’s predecessor are stored there…
Thanks I will look into this .
I will just mark it as solution.

You can copy over the basis /etc/e-smith/templates/etc/shorewall to
/etc/e-smith/templates-custom/etc/shorewall
(Only what you need to change!)

after that:

expand-template /etc/shorewall/ YOUR-CHANGED-FILE

Thanks I will look into this .
I will just mark it as solution.

1 Like