Ping doesn't fail after blocking it via Firewall

floatingpurr · November 27, 2023, 11:27am

I have a client on LAN zone (ie LAN-client) and a box on guest zone (192.168.2.102). In the firewall, I have the following settings:

config forwarding
	option src 'lan'
	option dest 'guest'

In this case ping from the LAN client works:

LAN-client$ ping 192.168.2.102
PING 192.168.2.102 (192.168.2.102): 56 data bytes
64 bytes from 192.168.2.102: icmp_seq=0 ttl=63 time=4.646 ms
.
.
.

I let it go ahead and I remove such a forwarding rule from the firewall. I click on save & apply. I'd have expected that ping from LAN-client failed, but it continues to deliver ICMP requests to 192.168.2.102! Then, if I restart the ping on LAN-client, it fails as expected.

My question is: why does an ongoing ping is not blocked? Please note that there isn't the same issue the other way around. Indeed, if I add again the forwarding rule, the ongoing-failing-ping now starts delivering packets, without restarting it.

vgaetera · November 28, 2023, 4:02am

mk24 · November 28, 2023, 4:26am

Right, the ongoing pings are an Established connection and will be allowed to continue.

The exemption for established connections is a defining feature of a stateful firewall. Without it, connecting to websites on the wan would not be possible because there's no specific rule allowing a response from the site back into the lan.

floatingpurr · November 28, 2023, 7:50am

Thank you both. I didn't believe that ICMP messages were tracked with the state of the "connection".

system · December 8, 2023, 7:51am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.