If I send a ping from the monowall itself to a not-existent host the returning ICMP Dest Unreachable (Host) is blocked by the firewall. Even if I have an explicit allow rule. Such a rule is not needed for hosts on the LAN, they get the ICMP passed back correctly.
I first noticed this when the other end of an IPSec VPN was down and the logs filled up with blocked ICMP.
Note in the example below the 192.168.1.20 address is not the WAN interface of the FW. It is a LAN host that sent out a similar ping earlier. So a double bug (but not necessarily both monowall). (remote WAN addresses obsfucated .166 is router, .164 is pinged host, router is not a monowall).
ipmon[96]: 13:44:22.697840 3x vr1 @200:5 b 99.99.99.166 -> 192.168.1.20 PR icmp len 20 112 icmp unreach/host for 192.168.1.20 - 99.99.99.164 PR icmp len 20 84 icmp 8/0 K-S K-F IN
|