Flow rules do not work at all?!


I have a really odd issue with Flow Rules: it seems that they do not work?!

If I put anything but accept; at the end of my rules, traffic gets blocked.

I started using statements that included ipsrc and ipdest, none of these rules worked. So I came up with this example: it should allow ICMP (0x01), UDP (0x11), and TCP (0x06):

accept ipprotocol 1;
accept ipprotocol 6;
accept ipprotocol 17;


But even in this simple example all traffic is blocked.

I think I need some help here …

Best regards


You’re blocking ARP, which is how IPv4 addresses are resolved to hardware (MAC) addresses on a network. You’ll note that the default rule set includes this:

# Allow only IPv4, IPv4 ARP, and IPv6 Ethernet frames.
	not ethertype ipv4
	and not ethertype arp
	and not ethertype ipv6


What this does is drop anything that’s not IPv4, IPv6 or ARP. Specifying ICMP is not required as ICMP is already IPv4 or IPv6.

OOOOOPS, you are right! I tried to create the smallest example possible and failed miserably :slight_smile:

When I add

allow ethertype arp;

it works as expected!

I will flag your response as the Solution.