[j-nsp] "ping: sendto: Operation not permitted" in LAN
Stefan Fouant
sfouant at shortestpathfirst.net
Thu Aug 18 10:28:10 EDT 2011
On 8/18/2011 8:21 AM, Martin T wrote:
> As you can see, there is a firewall applied to ge-0/0/0.10.
> Configuration of the "fw-out" is following:
>
> term established {
> from {
> tcp-established;
> }
> then {
> count established;
> accept;
> }
> }
You don't have a match for protocol TCP here in your term established.
This can cause strange behavior since it's only looking for it a simple
bit match against the TCP ACK or RST fields. However because you are
not tying it specifically to TCP traffic, any packets which have a 1
value at that offset will match.
> The same applies to every host in 192.168.1.0/28 network. If I ping
> the M20(192.168.1.14) from servers there is same amount of packet
> loss. Any ideas, what might cause this "ping: sendto: Operation not
> permitted"? If additional information is needed, please ask :)
Honestly, I am unsure how any of your ping packets are getting out due
to the fact that you don't have any terms allowing ICMP echo-requests
outbound. My only thought here is that it may be matching on the term
established for the reasons I just mentioned.
I would suggest modifying the term established to include 'from protocol
tcp', and then adding another term to allow ICMP echo requests outbound.
Make sure to insert this term before the final drop term.
HTHs.
Stefan Fouant
JNCIE-ER, JNCIE-M, JNCIE-SEC, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
More information about the juniper-nsp
mailing list