[j-nsp] "ping: sendto: Operation not permitted" in LAN

Stacy W. Smith stacy at acm.org
Thu Aug 18 11:18:36 EDT 2011 

Martin,

I think the fact that any of the pings are succeeding is accidental.

Based on my initial glance at your firewall filter, you are not permitting ICMP echo request messages and the final "term drop" is discarding traffic. I would therefore, expect all pings to fail completely. The reason some pings are succeeding is due to the "term established" in your firewall filter.

One of the peculiarities of JunOS firewall filters is that specifying a match condition for a higher-level protocol does NOT automatically assume the corresponding lower-level protocol. So, you have:

...
term established {
       from {
           tcp-established;
       }
       then {
           count established;
           accept;
       }
 }
…

Because you did not ALSO specify "from protocol tcp" in this term, this condition is applied to all IPv4 traffic, not just TCP traffic. Therefore, any packet that has the either bit set in what would be the position for the ACK or RST TCP flags, if it were actually a TCP packet, will match this term.

The bit positions that would be the ACK or RST TCP flags on a TCP packet are in the data portion of an ICMP echo request packet. If the data in the ICMP echo request packet happen's to have one of these two bit positions set, it will be accepted by "term established". If it doesn't it will be denied by "term drop". Those denies will result in the "ping: sendto: Operation not permitted" message you are seeing. I believe JunOS increments the data pattern in each ICMP echo request message, and that is why you are seeing some packets succeed and other fail.

Bottom line:

Add "protocol tcp" to the "from" clause of "term established"

If you also want to permit ICMP echo request messages, add an additional term to do so.

--Stacy


On Aug 18, 2011, at 6:21 AM, Martin T wrote:

> I have a ge-0/0/0 interface in Juniper M20(JUNOS 9.4R4.5), which has
> unit 10 configured to it. Configuration of the interface is basically
> following:
> 
>    ge-0/0/0 {
>        unit 10 {
>            family inet {
>                rpf-check;
>                mtu 1500;
>                filter {
>                    output fw-out;
>                }
>                address 192.168.1.14/28;
>            }
>        }
>    }
> 
> 
> As you can see, there is a firewall applied to ge-0/0/0.10.
> Configuration of the "fw-out" is following:
> 
> firewall {
>    filter fw-out {
>        term GoogleDNS {
>            from {
>                source-address {
>                    8.8.8.8/32;
>                    8.8.4.4/32;
>                }
>                protocol udp;
>                source-port 53;
>            }
>            then {
>                count GoogleDNS;
>                accept;
>            }
>        }
>        term established {
>            from {
>                tcp-established;
>            }
>            then {
>                count established;
>                accept;
>            }
>        }
>        term management {
>            from {
>                source-address {
>                    10.10.10.0/24;
>                }
>            }
>            then {
>                count management;
>                accept;
>            }
>        }
>        term drop {
>            then {
>                count drop;
>                discard;
>            }
>        }
>    }
> }
> 
> 
> In case I ping between servers in 192.168.1.0/28 network, the
> connection is fine. There is no packet loss between them. However, if
> I ping for example 192.168.1.3 from M20, the results are following:
> 
> 
> PING 192.168.1.3 (192.168.1.3): 1400 data bytes
> 1408 bytes from 192.168.1.3: icmp_seq=0 ttl=64 time=2.301 ms
> ping: sendto: Operation not permitted
> 1408 bytes from 192.168.1.3: icmp_seq=2 ttl=64 time=1.440 ms
> 1408 bytes from 192.168.1.3: icmp_seq=3 ttl=64 time=1.454 ms
> 1408 bytes from 192.168.1.3: icmp_seq=4 ttl=64 time=1.491 ms
> 1408 bytes from 192.168.1.3: icmp_seq=5 ttl=64 time=1.433 ms
> 1408 bytes from 192.168.1.3: icmp_seq=6 ttl=64 time=1.411 ms
> ping: sendto: Operation not permitted
> 1408 bytes from 192.168.1.3: icmp_seq=8 ttl=64 time=1.540 ms
> ping: sendto: Operation not permitted
> 1408 bytes from 192.168.1.3: icmp_seq=10 ttl=64 time=1.762 ms
> 1408 bytes from 192.168.1.3: icmp_seq=11 ttl=64 time=1.972 ms
> 1408 bytes from 192.168.1.3: icmp_seq=12 ttl=64 time=1.451 ms
> ping: sendto: Operation not permitted
> 1408 bytes from 192.168.1.3: icmp_seq=14 ttl=64 time=1.450 ms
> ping: sendto: Operation not permitted
> 1408 bytes from 192.168.1.3: icmp_seq=16 ttl=64 time=46.920 ms
> 1408 bytes from 192.168.1.3: icmp_seq=17 ttl=64 time=1.428 ms
> 
> 
> The same applies to every host in 192.168.1.0/28 network. If I ping
> the M20(192.168.1.14) from servers there is same amount of packet
> loss. Any ideas, what might cause this "ping: sendto: Operation not
> permitted"? If additional information is needed, please ask :)
> 
> 
> regards,
> martin
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list