Author Topic: Any way to enable ICMP port unreachable? (Read 2169 times)

Patrick M. Hausen · « **on:** December 15, 2021, 12:48:22 pm »

Hi all,

after moving my SSH server to port 2222 to match what we have at work - our old firewall could not run outbound NATed SSH connections and the local service on the same port - I found that when I forget the `-p 2222` and simply enter `ssh root@192.168.1.1` the command hangs instead of immediately returning with "port unreachable".

Is there a way to enable sending of ICMP messages for that for internal networks like LAN?

Thanks,
Patrick

KHE · « **Reply #1 on:** December 15, 2021, 02:59:38 pm »

Hi,

put a reject rule on Firewall: Rules: LAN for tcp port 22?

KH

Patrick M. Hausen · « **Reply #2 on:** December 15, 2021, 03:32:01 pm »

On internal networks I'd like to have that behavior globally for all unserved ports. My old firewall had a switch per interface - "hide port unreachable, yes/no"

But thanks for the suggestion - will think about it. And dig into pf a bit more. Possibly there's something more general not yet exposed by the UI.

Patrick M. Hausen · « **Reply #3 on:** December 15, 2021, 03:45:14 pm »

Found it:

sysctl net.inet.tcp.blackhole=0

The default is 2 which means not to send ICMP port unreachable. If I change it to 0 the firewall will behave like any regular FreeBSD host. On WAN the pf rules will take care of DROP instead of REJECT, so I am still more or less safe from port scans.

Author Topic: Any way to enable ICMP port unreachable? (Read 2169 times)

Patrick M. Hausen

Any way to enable ICMP port unreachable?

KHE

Re: Any way to enable ICMP port unreachable?

Patrick M. Hausen

Re: Any way to enable ICMP port unreachable?

Patrick M. Hausen

Re: Any way to enable ICMP port unreachable?