Date: Mon, 21 Jul 2003 15:25:26 -0400 From: "Dennis B. Hopp" <dhopp@coreps.com> To: <freebsd-ipfw@freebsd.org> Subject: allowing internal machines to traceroute Message-ID: <01ab01c34fbd$d6d01440$0201a8c0@dennis>
next in thread | raw e-mail | index | archive | help
I have setup a freebsd machine to act as a firewall/NAT device. NAT is working fine and the firewall is working but I'm having trouble allowing internal machines to do traceroutes. Pings work fine but traceroutes die at the freebsd machine. My firewall.rules file contains: #stop spoofing add 00010 deny log all from 192.168.1.0/24 to any in via fxp0 # Stop RFC1918 nets on the outside interface add 00020 deny log all from any to 10.0.0.0/8 via fxp0 add 00030 deny log all from any to 172.16.0.0/12 via fxp0 add 00040 deny log all from any to 192.168.0.0/16 via fxp0 add 00100 divert 8668 ip from any to any via fxp0 add 00110 deny log ip from 192.168.1.0/24 to any in recv fxp0 add 00120 deny log ip from 207.241.136.0/24 to any in recv fxp1 #Stop RFC1918 at the outside interface both from being received and being sent: add 00150 deny log ip from 192.168.0.0/16 to any in recv fxp0 add 00150 deny log ip from any to 192.168.0.0/16 out xmit fxp0 add 00150 deny log ip from 172.16.0.0/12 to any in recv fxp0 add 00150 deny log ip from any to 172.16.0.0/12 out xmit fxp0 add 00150 deny log ip from 10.0.0.0/8 to any in recv fxp0 add 00150 deny log ip from any to 10.0.0.0/8 out xmit fxp0 add 00200 check-state add 00201 allow ip from any to any via lo0 add 00202 deny log ip from any to 127.0.0.0/8 add 00203 deny log ip from 127.0.0.0/8 to any add 00215 allow tcp from any to any established add 00216 allow tcp from <external ip> to any out xmit fxp0 setup add 00217 allow tcp from 192.168.1.0/24 to any in recv fxp1 setup add 00218 allow udp from <external ip> to any out xmit fxp0 keep-state add 00219 allow udp from 192.168.1.0/24 to any in recv fxp1 keep-state add 00235 allow icmp from 192.168.1.0/24 to any keep-state via fxp1 add 00236 allow icmp from 207.241.136.9 to any keep-state out via fxp0 add 00640 allow tcp from any to any 22 out via fxp0 setup keep-state Any ideas? --Dennis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01ab01c34fbd$d6d01440$0201a8c0>