Any way to enable ICMP port unreachable?

Started by Patrick M. Hausen, December 15, 2021, 12:48:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 15, 2021, 12:48:22 PM
Hi all,

after moving my SSH server to port 2222 to match what we have at work - our old firewall could not run outbound NATed SSH connections and the local service on the same port - I found that when I forget the `-p 2222` and simply enter `ssh root@192.168.1.1` the command hangs instead of immediately returning with "port unreachable".

Is there a way to enable sending of ICMP messages for that for internal networks like LAN?

Thanks,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 15, 2021, 02:59:38 PM #1
Hi,

put a reject rule on Firewall: Rules: LAN for tcp port 22?

KH
December 15, 2021, 03:32:01 PM #2
On internal networks I'd like to have that behavior globally for all unserved ports. My old firewall had a switch per interface - "hide port unreachable, yes/no"

But thanks for the suggestion - will think about it. And dig into pf a bit more. Possibly there's something more general not yet exposed by the UI.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 15, 2021, 03:45:14 PM #3
Found it:

sysctl net.inet.tcp.blackhole=0

The default is 2 which means not to send ICMP port unreachable. If I change it to 0 the firewall will behave like any regular FreeBSD host. On WAN the pf rules will take care of DROP instead of REJECT, so I am still more or less safe from port scans.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions