PF pinging a freebsd machine

[Gully]

Hello fellow FreeBSD users.

I'm new to BSD but I've been using Linux for quite a while.
So my issue is that I can't seem to ping my freeBSD machine from other computers connected to the same lan.

My machine has a fresh install and not much has been changed configuration wise.
I've been trying to get to grips with the PF firewall and i created some simple rules but other than i haven't change anything worth mentioning.

pf.conf

pass in quick proto icmp
block in log (all) all
pass out all keep state

disabling the firewall completely makes no difference (and yes i can ping hosts from the freebsd machine)

I'm tearing my hair out over here.
Is this normal for FreeBSD!?
What can i do if i like FreeBSD to respond to ping?

 

[SirDice]

Common pitfall for new PF users, last matching rule wins. Processing of rules doesn't stop when a match is found.

Did you perhaps also enable IPFW or IPF? FreeBSD has three firewalls (and you should only enable one of them), IPFW, IPF and PF.

What's in /etc/rc.conf?

 

[Gully]

Did you perhaps also enable IPFW or IPF?

No,I'm pretty sure I didn't.
I specifically installed freeBSD to on this machine to play around with PF, not IPFW or any other firewall.

What's in /etc/rc.conf?

I manual typed this in so might contain some mistyped characters
lines starting with # where ignored

Clear_tmp_enable="yes"
hostname="redacted"
Keymap="us.kdb"
Ifconfig_em0="DHCP"
ifconfig_em0ipv6="inet6 accept_rtadv"
Ntpd_enable="YES"
mouse_nonedeafault_enable="NO"
Dumdev="NO"
zfs_enable="YES"
Pflog_enable=yes

 

[SirDice]

PF isn't enabled, but that shouldn't be a problem. I see the interface is set to DHCP, is it possible you've been pinging the wrong IP address? Because FreeBSD, like every other OS, will happily respond to a ping. You don't have to 'enable' anything to make that happen.

 

[Gully]

PF isn't enabled, but that shouldn't be a problem. I see the interface is set to DHCP, is it possible you've been pinging the wrong IP address? Because FreeBSD, like every other OS, will happily respond to a ping. You don't have to 'enable' anything to make that happen.

Well, i tried to ping the freeBSD machine yet again and to my surprise it actually worked.
I feel like such a dummy.

I even Enabled the firewall with

pfctl -e

and even with the firewall enabled it still works so i guess my simple rules works too.

while I'm at it might as well ask is this line in pf.conf necessary for ping to work?
pass in quick proto icmp
refer to post nr. one for context

 

[SirDice]

Yes, the only remark I would make is that this allows all ICMP, including some things you might not want to allow.

int_if="em0"

pass in on $int_if proto icmp from any to any icmp-type { echoreq, unreach }

This is much stricter, it only accepts ICMP echo requests (ping) and ICMP unreachable (used with traceroute and PMTUD).

 

[Gully]

This is much stricter, it only accepts ICMP echo requests (ping) and ICMP unreachable (used with traceroute and PMTUD).

Oh yes, you are of course right!
I was just trying trying to write simple rule to get ping working while I'm trying to learn the pf firewall, allowing all of icmp is obviously not ideal if i where make this machine accessible over the public internet.

Thank you for all of your assistance SirDice
I Sincerely appreciate it

 

[Gully]

Hmm, guess it wasn't sush a dummy after all as IPV6 isn't working.

I have now connected two machine machines with an Ethernet cable.
Machine One is running Freebsd and machine Two Linux.

Pinging either either machine using ip4 works fine, but switch over to Ipv6 and I'm only getting a network unreachable message on freebsd and address unreachable message from the Linux machine.
At first I let both machines auto-configure (SLAAC) but since was unable to ping either machine l I manually configured both machines with static IPV6.

Freebsd ifconfig

em0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
    options=4e524bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LRO,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
    ether 00:26:2d:f1:08:02
    inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
    inet6 fe80::redacted%em0 prefixlen 64 scopeid 0x1
    inet6 fe80::1%em0 prefixlen 64 scopeid 0x1
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active
    nd6 options=8023<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL,DEFAULTIF>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
    options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
    groups: lo
    nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33152
    options=0
    groups: pflog

Freebsd rc.conf

clear_tmp_enable="YES"
hostname="redacted"
keymap="us.kbd"
ifconfig_em0="inet 192.168.0.1 netmask 255.255.255.0"
ifconfig_em0_ipv6="inet6 fe80::0001 prefixlen 64"
ntpd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
pf_enable=yes
pflog_enable=yes

Linux ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether redacted brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.2/24 brd 192.168.0.255 scope global noprefixroute enp0s25
       valid_lft forever preferred_lft forever
    inet6 fe80::2/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
    inet6 fe80::redacted/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether redacted brd ff:ff:ff:ff:ff:ff permaddr redacted

FreeBSD gods, Please advice me!

 

[SirDice]

Remove the fe80::1 address from lo0. And try ping fe80::2%em0. The fe80::/10 range is a link-local address range.

 

[Gully]

Remove the fe80::1 address from lo0. And try ping fe80::2%em0. The fe80::/10 range is a link-local address range.

Okay, I will give that a go.
Thank you!