1 Topic by ThASattler (edited by ThASattler 2020-10-16 23:50:26)

  • ThASattler
  • Member
  • Offline
  • Registered: 2016-10-15
  • Posts: 44

Topic: Mailserver does not answer to a ping request due to nftables.conf

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.1
- Deployed with iRedMail Easy or the downloadable installer? Downloadable installer
- Linux/BSD distribution name and version: DEBIAN 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL (MariaDB)
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

With the nftables.conf delivered there is no answer to a ping request, but when the following line in the input chain:

ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

is changed to 

ip protocol icmp accept comment "accept all ICMP types"

there is an answer.

But is this a good workaround? Which types are missing?

And what about the definition for ipcmpv6?

ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Mailserver does not answer to a ping request due to nftables.conf

ThASattler wrote:

ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept

ping works for me with this rule.

Could you please show me the kernel and nft versions?

uname -r
dpkg -l |grep nft

3 Reply by ThASattler

  • ThASattler
  • Member
  • Offline
  • Registered: 2016-10-15
  • Posts: 44

Re: Mailserver does not answer to a ping request due to nftables.conf

ZhangHuangbin wrote:

ping works for me with this rule.

Could you please show me the kernel and nft versions?

Kernel:

4.19.0-11-amd64

nft:

ii  libnftables0:amd64  0.9.0-2 amd64     Netfilter nftables high level userspace API library
ii  libnftnl11:amd64     1.1.2-2 amd64     Netfilter nftables userspace API library
ii  nftables                  0.9.0-2 amd64     Program to control packet filtering rules by Netfilter project

4 Reply by ThASattler

  • ThASattler
  • Member
  • Offline
  • Registered: 2016-10-15
  • Posts: 44

Re: Mailserver does not answer to a ping request due to nftables.conf

When I add the type "echo-request" to the nftables statement for ICMP the mailserver is answering to a PING request from another server or client.
The following rule is working for me:

ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept

5 Reply by Shnoulle

  • Shnoulle
  • Member
  • Offline
  • Registered: 2020-12-27
  • Posts: 31

Re: Mailserver does not answer to a ping request due to nftables.conf

ThASattler wrote:

When I add the type "echo-request" to the nftables statement for ICMP the mailserver is answering to a PING request from another server or client.
The following rule is working for me:

ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept

Exactly the same issue on a new debian 10 setup.

Clean debian 9 updated to debian 10

root@belar:# uname -r
4.19.0-13-amd64
root@belar:# dpkg -l |grep nft
ii  libnftables0:amd64              0.9.0-2                      amd64        Netfilter nftables high level userspace API library
ii  libnftnl11:amd64                1.1.2-2                      amd64        Netfilter nftables userspace API library
ii  nftables                        0.9.0-2                      amd64        Program to control packet filtering rules by Netfilter project

I check if issue is reported.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Mailserver does not answer to a ping request due to nftables.conf

Fixed: https://github.com/iredmail/iRedMail/co … 36fdd0783c