From owner-freebsd-questions Tue Jan 9 22: 2:55 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0E7CA37B401 for ; Tue, 9 Jan 2001 22:02:38 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 9 Jan 2001 22:00:49 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id f0A62UT48842; Tue, 9 Jan 2001 22:02:30 -0800 (PST) (envelope-from cjc) Date: Tue, 9 Jan 2001 22:02:30 -0800 From: "Crist J. Clark" To: blaz Cc: freebsd-questions@FreeBSD.ORG Subject: Re: traceroute continued. Message-ID: <20010109220230.S95729@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <3A5B5BBE.6E471EB6@satx.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A5B5BBE.6E471EB6@satx.rr.com>; from blaz@satx.rr.com on Tue, Jan 09, 2001 at 12:43:10PM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 09, 2001 at 12:43:10PM -0600, blaz wrote: > still no luck with getting machines behind firewall to be able > to use traceroute -- just from firewall: It works from the firewall itself? That means all ofthe rules you need are on the external interface. This could either be a problem with your rules on the internal interface or natd(8) (and I believe you've mentioned natd). > here are all of my rules concerning this issue, maybe someone > with a lot more experience than me can help me out.. > > # TRACEROUTE - Allow outgoing > ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} All of the ICMP ones look good. Is there a rule that is letting the come in the inner interface? If it looks like you do, start a traceroute on an internal machine and do tcpdump(8)'s on each interface of the firewall/gateway/NAT machine. First do, # tcpdump -n -i if0 udp Where if0 is really the valid name of an interface, and see where the UDP packets are or are not getting to. If those are not getting out of the external interface, use 'ipfw show' to find which rule is blocking them (watch for changes in the rule counters). If it looks good, try the same process with, # tcpdump -n -i if0 icmp And see if we all did not miss a problem in your ICMP rules. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message