Suse 9.2 firewall prevents 'ping' on local network?
SUSE / openSUSEThis Forum is for the discussion of Suse Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Suse 9.2 firewall prevents 'ping' on local network?
Boy, am I frustrated ...!
I spent most of Friday evening, and all Saturday, and some of this morning (Sunday) trying to get my wireless network card (broadcom bcm4309 device, aka Dell TrueMobile 1400) to work with SUSE 9.2 Pro.
I researched and downloaded the ndiswrapper stuff, followed all the instructions, made sure I had the right encryption, ssid, etc settings. But, no matter what I did, I could not 'ping' my local access point, nor other machines on my network (booting to winxp on same laptop showed this same 'ping' to work). I was getting an ip from the AP. And I could 'scan' the AP too.
FINALLY, I just 'gave up' and launched the browser, and ... lo and behold ... I'm on the network !!! (writing this now while wirelessly connected).
So I should be overjoyed, I guess, since the ndiswrapper stuff is not trivial to setup, BUT - why oh why would a 'ping' fail? NOTE: I"m talking about running 'ping' ON the linux machine I'm configuring, pinging out to another machine.
I've been ignoring the 'suse firewall' that starts up each time I boot. So now I just tried turning it off (in YAST) ... and ... now I can ping my access point and local machines!!!!
So ... why would the SUSE firewall prevent me from pinging (or more accurately, perhaps, getting a response to a ping?) the access point? I've relied on ping for many years as the most basic of tools to test networking. I know full well that a firewall will typically prevent a response TO a pring from ANOTHER workstation, but I'm talking about pinging OUT from the linux manchine on which the firewall is running.
Specifically, my WAP is 192.168.0.99; my wlan0 interface is set for dhcp and is given an address 192.168.0.151. I type 'ping 192.168.0.99' and get no response. I also type 'ping 192.168.0.1' (another computer on my lan) and get no response. Disabling firewall, I get the normal response to ping on both these addresses.
Needless to say, I'll be leaving the firewall disabled until such time as I can understand how to make it a bit less aggressive!
So what I'd really like to know is, what setting in the firewall is it that is preventing 'ping' from working? I'd prefer to leave the firewall on, but can't see anything in the firewall config (under yast) that would configure this.
The firewall is probably blocking all ICMP packets. There are very good reasons for blocking incoming ICMP packets (badly-formed pings have caused NT computers to lock up before now), and I guess it wasn't considered essential to have outgoing ICMP either. (The attitude being that if you don't need it, get rid of it; it may have unknown security holes).
Were you using an ethernet interface before the wireless card? I had a problem similar to yours and couldn't ping my AP. In YaST, looking at the firewall, I realized it was 'set' on interface eth0. I simply reset it on interface wlan0 and all worked well.
I have an ethernet port in the laptop, eth0 and it was 'available' during install, and I do believe that the firewall was 'set' on it.
However, that suggests to me that I should have been fine on the wlan0 interface - if no firewall is set on it, it should not be 'firewalled' - though that could be naive!
But turning off the firewall cured my problem ... so are you suggesting that, if the firewall is 'on', and only 'set' on the eth0 interface, it will in fact completely block any other interface (eg, wlan0) that it is not 'set' on? I can certainly try playing around with this. Thanks!
I am not offering a very convincing explanation for this because I don't know the internals well enough. If someone does, I'd love to hear the explanation. I am just telling you what I noticed. In YaST, go to
Security & Users->Firewall
and there you can set the 'External interface'. I set mine to 'wlan-bus-pcmcia' and it worked. It used to be set to 'eth0' and there, I couldn't ping or have internet access.
I guess what is happening is that only one interface can be written to/read from at a time as far as internet access goes. So if your external interface says 'eth0' while you are in fact unplugged and trying to use the wireless card, your machine doesn't even bother look into it; it only listens on eth0. Feel free to destroy to my tentative explanation...
Originally posted by Pingus I guess what is happening is that only one interface can be written to/read from at a time as far as internet access goes.
Not quite. You can have as many interfaces as you like, and set them up in several different ways. Roughly speaking, you can use them in parallel with an internet connection on each one (load-balancing), or you can set up different paths to different hosts/networks on different interfaces (eg. with the internet on one interface, your LAN on another and a dedicated WAN interface on a third).
By default, however, only one interface can be the default interface (without messing around with advanced routing settings in the kernel). In this setup, your interfaces are put into an order, and each one assigned a set of destination IP addresses. If you send a network packet, then the kernel will compare its destination to each interface in turn, only sending it to the default interface if no other interface “claims” it (by listing its destination IP address).
I'm not sure but I think you want to enable port 5813 under Firewall Services/Expert (it says this is just TCP services; it may be blocking all ICMP services anyway. Or I may have the wrong port number for ping, i.e. ICMP_ECHO packets)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.