Date: Tue, 9 Jan 2001 00:16:13 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: blaz <blaz@satx.rr.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: traceroute Message-ID: <20010109001612.O95729@rfx-64-6-211-149.users.reflexco> In-Reply-To: <3A5AA9B0.1A5EB35C@satx.rr.com>; from blaz@satx.rr.com on Tue, Jan 09, 2001 at 12:03:28AM -0600 References: <3A5AA9B0.1A5EB35C@satx.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 09, 2001 at 12:03:28AM -0600, blaz wrote:
> greetings,
>
> my ipfw rules on traceroute are as follows:
>
> # TRACEROUTE - Allow outgoing
> ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
>
> my firewall is able to use traceroute, but my internal LAN is not. My
> interfaces are as follows:
>
> # set these to your outside interface network and netmask and ip
> oif="xl0"
> onet="24.160.144/23"
> omask="255.255.255.255"
> oip="24.160.144.62"
>
> # set these to your inside interface network and netmask and ip
> iif="xl1"
> inet="192.168.2.0/24"
> imask="255.255.255.0"
> iip="192.168.2.1"
>
> any help would be greatly appreciated.
You are letting the UDP packets out, but you need to let the ICMP time
exceeded and port unreachable messages back in,
${fwcmd} add pass icmp from any to ${oip} icmptypes 3,11 in via ${oif}
Another rule may be needed to pass them back out the internal
interface,
${fwcmd} add pass icmp from any to any icmptypes 3,11 out via ${iif}
Depending on how tight or loose your rules on ${iif} are already.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010109001612.O95729>