[j-nsp] "ping: sendto: Operation not permitted" in LAN

Stefan Fouant sfouant at shortestpathfirst.net
Thu Aug 18 10:28:10 EDT 2011


On 8/18/2011 8:21 AM, Martin T wrote:

> As you can see, there is a firewall applied to ge-0/0/0.10.
> Configuration of the "fw-out" is following:
>
>          term established {
>              from {
>                  tcp-established;
>              }
>              then {
>                  count established;
>                  accept;
>              }
>          }

You don't have a match for protocol TCP here in your term established. 
This can cause strange behavior since it's only looking for it a simple 
bit match against the TCP ACK or RST fields.  However because you are 
not tying it specifically to TCP traffic, any packets which have a 1 
value at that offset will match.

> The same applies to every host in 192.168.1.0/28 network. If I ping
> the M20(192.168.1.14) from servers there is same amount of packet
> loss. Any ideas, what might cause this "ping: sendto: Operation not
> permitted"? If additional information is needed, please ask :)

Honestly, I am unsure how any of your ping packets are getting out due 
to the fact that you don't have any terms allowing ICMP echo-requests 
outbound.  My only thought here is that it may be matching on the term 
established for the reasons I just mentioned.

I would suggest modifying the term established to include 'from protocol 
tcp', and then adding another term to allow ICMP echo requests outbound. 
  Make sure to insert this term before the final drop term.

HTHs.

Stefan Fouant
JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant


More information about the juniper-nsp mailing list