Hi everyone,
I had trouble allowing ping through/on the gateway using firewall access rules. I tried to create a rule that allows Ping from the Internet to an internal host. Turns out it was related to the options in the "ICMP" tab. When I turn off all the options there (Allow ICMP on Gateway, etc.) my firewall rules work flawlessly. When I turn on some options, my firewall rules are ignored. As far as I understand this is somewhat correct behaviour as the global ICMP rules override my own. Only problem is: I cannot create an additional rule that would allow Ping to my host from the internet.
But now the kicker: it depens on what you activate first. If you create the firewall rule to allow ping first, it still works even after you activate the ICMP options. If you turn on the ICMP options and then create a firewall rule, the firewall rule will be ignored. -> Huh? This creates a situation where firewall configurations rules LOOK identical, but behave differently internally. This should be reflected in the GUI somehow or the firewall rules should be created exactly the same, no matter what checkbox I click first!
It seems rather intransparent on what ip table rule takes precedence internally. Im not a huge Unix hacker so I have not tried to look into the guts of the system so far.
So my questions are: why can't I create additional rules to allow ICMP from the outside after I activate the global ICMP options? And: why does it matter what stuff I activate first? Or am I completely on the wrong track here?
I had trouble allowing ping through/on the gateway using firewall access rules. I tried to create a rule that allows Ping from the Internet to an internal host. Turns out it was related to the options in the "ICMP" tab. When I turn off all the options there (Allow ICMP on Gateway, etc.) my firewall rules work flawlessly. When I turn on some options, my firewall rules are ignored. As far as I understand this is somewhat correct behaviour as the global ICMP rules override my own. Only problem is: I cannot create an additional rule that would allow Ping to my host from the internet.
But now the kicker: it depens on what you activate first. If you create the firewall rule to allow ping first, it still works even after you activate the ICMP options. If you turn on the ICMP options and then create a firewall rule, the firewall rule will be ignored. -> Huh? This creates a situation where firewall configurations rules LOOK identical, but behave differently internally. This should be reflected in the GUI somehow or the firewall rules should be created exactly the same, no matter what checkbox I click first!
It seems rather intransparent on what ip table rule takes precedence internally. Im not a huge Unix hacker so I have not tried to look into the guts of the system so far.
So my questions are: why can't I create additional rules to allow ICMP from the outside after I activate the global ICMP options? And: why does it matter what stuff I activate first? Or am I completely on the wrong track here?