RESOLVED: IPv6 and ICMP packets with UTM

Nice to hear that. [:)]
That's how it should look like, if you don't allow ping or ICMP in general through your Uplink interface.

Yeah, I work for Sophos in QA. There were some problems with the migration from the old astaro forum to this forum and maybe someone forgot to put me on the "Sophos Staff" list.

However it's nice that your issue doesn't occur anymore. :)

/Daniel

I come bearing good news!  Just installed the latest 9.4 Beta 2 and ppp0 is included in the "ip6tables -vnL AUTO_FORWARD" result!

Thank you for your assistance in getting this resolved - on with the next one which is IPv6 and the Web-Filter (Have listed it here).

If you need any assistance with the IPv6 / WebFilter let me know and I'll do what I can to assist, BTW didn't realize you were Sophos Staff...

/Tim

More than happy to assist with debugging, let me know what you need me to do this end and more than happy to run and post the output.

I opened a ticket for the issue.

Thanks a lot for the effort and the patience! [:)]

Would it be possible to get ssh access for debugging next week?

/Daniel

Just thought I would try something out the box.

Took a copy of the config for my UTM, built a new isolated VM and restored the configuration - still getting the same results as I was previously.

Changed the external interface from PPPoE to Ethernet, and voila - getting the drop ICMPv6 eht0 rule - changed back to PPPoE and it's gone!

So this looks like it's a PPPoE bug.

The options in the ICMP tab overrule the firewall rules in Network Protection >> Firewall >> Rules. But if you uncheck the options in the ICMP tab there are no rules for ICMP anymore on the system which means the firewall rules could match the traffic.

Is it possible to get ssh access to your machine? That would be really helpful and would speed it up. :)
Unfortunately I can't reproduce your issue and the packetfilter rules should contain a DROP rule which isn't the case for you.

For me it looks like this on the shell (with eth0 as default gw):

Thanks!

/Daniel

I do have a any internal to any external rule - guess that's picking up ICMP - but I would have thought that the firewall would have applied the ICMP rules first??  Maybe inthis case it's not.

All results where I'm told that it's either reachable or filtered are from external to internal

I did create a from external to internal drop ICMP for IPv6 rule, that also made no difference, the settings in the ICMP tab overruled what was in the firewall settings.

This is the ip6tables -vnL AUTO_FORWARD results, with just  Allow ICMP through gateway selected.

This is the cc get icmp results

With Gateway forwards pings selected only.

And with only the "Allow ICMP through Gateway from external networks" option selected.

You are right. With your last two pictures you should only be able to ping from the UTM itself but not through the UTM from internal to external.

Do you have any firewall rules configured in Network Protection >> Firewall >> Rules?

Those could match ICMP traffic as well, if you don't explicit allow the traffic in the ICMP tab.

Regarding the second to the last post:

Could you do me a favor and provide me the output of the following commands for the "reachable" cases?

# ip6tables -vnL AUTO_FORWARD

# cc get icmp

I assume you tried to ping from external to internal, right?

Thanks a lot!

/Daniel

And even more strange.....

Surely with all these options deselected I shouldn't be able to ping an external IP from internal?

Regards

Tim

I'm confused - surely with "Allow ICMP through gateway enabled, there should be no WAN to LAN ICMP, as described in the help "Allow ICMP through gateway will make the system forward ICMP traffic if originating from an internal network.."

These are the results per different configuration of the ICMP section - does this seem correct to you?

Result:

Configuration: -

Result: -

Configuration: 

Result: 

Configuration

Result