Netgate SG-1000 microFirewall

Author Topic: Blocking ICMP (ping) from my DMZ.  (Read 153 times)

0 Members and 1 Guest are viewing this topic.

Offline nafeasonto

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Blocking ICMP (ping) from my DMZ.
« on: December 18, 2017, 01:36:50 am »
So I don't understand why this isn't wrking, but I go into the RULES for the DMZ.  Like DMZ from the srouce of any  to LAN NET, no ICMP.
Then IN the LAN, I block ICMP from source of DMZ net to LAN NET.

But ping is still getting through, why?

here is screenie.

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5452
  • Karma: +88/-3
  • No i will not fix your computer!
    • View Profile
Re: Blocking ICMP (ping) from my DMZ.
« Reply #1 on: December 18, 2017, 02:31:18 am »
Did you keep the ping running while changing rules?
Have you tried to stop the ping and then start it again?

States created before you change the rules will not automatically be killed.
You can manually trigger a kill of all states under:
Diagnostic --> States -->"Reset States"
We do what we must, because we can.

Asking questions the smart way:

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15518
  • Karma: +1439/-207
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Blocking ICMP (ping) from my DMZ.
« Reply #2 on: December 18, 2017, 07:31:35 am »
Your source net dmz net rule on lan is pointless.

Your rules below that any any rule on dmz are pointless.

As GruensFroeschli correctly stated, if you had a state that allowed ping when you created that block rule.. You would have to kill any active states to lan to allow the rule to be used.  Since active states are looked at before rules are evaluated.  You do not need to kill/reset all states.. You can look under your state table for the specific state(s) you want to kill and just kill those.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-3100 Delivered 3/19 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)