By Default this works.
Green -> Firewall->net ping and traceroute service ,direction outbound.
I am try to lock down the firewall from default allow all green outbound.
I changed default policy from allow to not allow [drop]
I add all types of icmp outbound but ping and traceroute not working.
If I create a rule ,Green all services outbound ,ping and traceroute works.
What am I missing here.
Thanks for your assistance.
For users who want more information : default policy adjusted and rules added for outbound.
The reason for this ,I have some devices who need to be ping and traceroute from my Green for troubleshooting and also do not want to open all 65535 ports outbound.So I limited.
Please let me know if more information is needed.
Blocking outgoing ports (esp. on a home lan) isn’t really making things more secure.
A LOT of client Apps use (almost random) Ports outgoing.
eg Zoom, Skype
Any form of VoIP will use 10’000-20’000 Ports for the so called SIP RTP (The actual VoIP communications, SIP is the signalling port…).
Also most TCP/IP adresses COME from a random port, just the target is a well known port.
Even your browser - most likely - also uses a random outgoing port, accessing some webserver on port 80 or 443…
Mail is another typical one…
If you do not want for example your Printer reaching to the Internet (Calling home!), then just don’t enter in a gateway on the printer (If manual IP) AND block Outgoing coming from the Printer’s IP (on the Firewall).
Are we talking about traceroute on Windows or on UN*X? (Not the same, one uses ICMP, the other UDP, AFAIK).
Why block outward ping from your devices (PCs)?
I block a whole device (printer, network port, etc), if I don’t want it “going out”.
Note: I do not use the firewall in NethServer, I use a hardware box (OPNsense), at home and at most of my clients.
I myself am well familiar with Checkpoint, Sonicwall, Cisco, ZyWall and Juniper (Among others).
I personally often need to “ping out”, as I am a network consultant, so I don’t bother with blocking stuff like ping…
If you know shorewall, you can edit the e-smith templates, AFAIK most config stuff of NethServer, like it’s predecessor are stored there…
Thanks I will look into this .
I will just mark it as solution.
You can copy over the basis /etc/e-smith/templates/etc/shorewall to
/etc/e-smith/templates-custom/etc/shorewall
(Only what you need to change!)