Greetings,
Really basic question here :oops:
I have a RP-B running raspbian-stretch-lite, on it I was running a news BOT for almost 2 years just fine, but we had to change or ISP modem(-> cisco epc3928s) now the firewall prevents my BOT from working properly. During my trouble shooting, I turned off the firewall completely and all the news came rushing in BUT I couldn’t ping a single web site which is confusing for me. So I rearmed the firewall and restarted my BOT with the task of finding the blocked port’s needed.
So my question now is why do I get the following output if I write “ifconfig” on my RP
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 489/sshd
tcp6 0 0 [::]:ssh [::]:* LISTEN 489/sshd
udp 0 0 0.0.0.0:bootpc 0.0.0.0:* 474/dhcpcd
udp 0 0 0.0.0.0:mdns 0.0.0.0:* 307/avahi-daemon: r
udp 0 0 0.0.0.0:51497 0.0.0.0:* 307/avahi-daemon: r
udp6 0 0 [::]:mdns [::]:* 307/avahi-daemon: r
udp6 0 0 [::]:56058 [::]:* 307/avahi-daemon: r
But I honestly don’t know if this output is correct or not.
Pinging myself(RP) works but pinging anything else results in 100% packet loss and the BOT is still out.
traceroute to www.google.com (172.217.19.100), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.548 ms 0.439 ms 0.574 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
Traceroute makes 1 hop then dies indicating that I am still blocked by the firewall but what port is blocked ?
Firewalls don’t typically block outgoing traffic, especially by default. If ping/traceroute isn’t going through, then ICMP is being blocked, but blocking all outgoing pings would be insane, so I suspect something else is happening.
Is there any sort of IPS configured on the firewall? Are other computers able to ping through the firewall?
Sorry for the delay
Just tried pinging from my personal computer and my fathers which is connected to a different router, but both are running Win 10 and in both cases pinging google.com has given me a request timeout
Attaching a printscreen of my firewall settings
The funny thing is that webpages load normally and nobody In the house complained yet that they can’t do something exempt me (torrenting and my BOT)
Firewalls can and do block outgoing traffic; it may be rare in the soho space but it is standard best practice in the enterprise space.
Ping and web use two entirely different protocols; when you’re using ping you’re testing ping not web. In fact ping any web server I firewall and you won’t get an answer. You may want to try something like: sudo nping --tcp -p 80 some.web.site; however that carries the risk of bumping into a different sort of firewall protection - blocking those who send too many SYNs without following through with the rest of the traffic.
Can’t see anything obvious with the ifconfig outputs although for some reason the first lacks the link-local IPv6 address.
Firewall gooey: The list of allowed services doesn’t include ICMP (which might explain why the pings don’t work and web does); it also implies this is a default deny firewall. I’d also try turning off each checkbox in turn and testing afterwards (and turn it back on again afterwards if it isn’t “the problem”). I’d also look at changing that SPI drop-down and testing too.
1 and 2 – good to know, but I have to google what nping dose before running it, give me a minute or two please
3) IPv6 was disabled by me, when I setted up the RP in the beginning by adding the following to in »/etc/sysctl.conf«
Ok I have tested all of the proposed scenarios and am attaching the following files:
Excel file with the results gathered by running traceroute/ping/nping with my RP and Win 10 machine
Layout of my setup – if it helps
Additional information about my modem (everything else should be stock)
• I tried opening ports that are used for Outgoing Mail (SMTP) Server, but wasn’t sure witch setting to set so I did both.
To me it looks like RP can’t connect to the internet when the firewall is on and dose can’t sent the news, what I don’t understand is how if both port 80 and 443 are open. Additionally I have tried searching for the BOT process and opening it’s port if needed.
Sorry for rambling, that’s it from me, either I haven’t opened the necessary port for email to be sent (gmail smtp) or my bot is broken xD
So if I understand things correctly, it more or less works when you turn down the firewall protection (SPI). Apparently “SPI” is a new fangled name for ‘stateful inspection’ or what I would call a ‘last generation firewall’ (but I’m more used to the enterprise space).
I wouldn’t worry too much about the traceroutes not working - it’s real use is for diagnosing routing issues. Just to add to the confusion, Windows traceroute works differently to Linux traceroute (by default).
The only thing I can think of is perhaps your firewall’s SPI is buggy and something about your RP is triggering that. Check if there any updates and go over the documentation.
Of course I might be missing something - my brain isn’t working properly today (it’s distracted by Fresher’s flu).
Do you really need SMTPS on tcp/465? I would have thought by now the only mail clients still needing that should have a stake driven through their hearts - it’s been deprecated since before I started playing with firewalls (which is close to 20 years ago).