Date: Tue, 7 Nov 2000 22:43:26 -0800 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Kent Stewart <kstewart@urx.com> Cc: Thomas Seck <tmseck@web.de>, freebsd-questions@FreeBSD.ORG Subject: Re: [4.1.1-stable] Problem with traceroute and ipfw Message-ID: <20001107224326.M75251@149.211.6.64.reflexcom.com> In-Reply-To: <3A07C014.B95BE1F1@urx.com>; from kstewart@urx.com on Tue, Nov 07, 2000 at 12:40:52AM -0800 References: <200011070827.JAA28389@mailgate3.cinetic.de> <3A07C014.B95BE1F1@urx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 07, 2000 at 12:40:52AM -0800, Kent Stewart wrote:
> Thomas Seck wrote:
[snip]
> > Well, I still think traceroute does work as expected and I am doing something
> > extremely stupid. Has someone a working 4.1.1 ipfw setup that is allowing
> > traceroute?
>
>
> # TRACEROUTE - Allow outgoing, but not incoming
> ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
That rule is not enough. You need to let out the UDP packets, but then
you need to let the ICMP responses back in. Specifically, you need to
allow the 'time exceeded in transit' (type 11, code 0) and 'port
unreachable' (type 3, code 3) messages. Actually, I'd just let both
types of time exceeded through and all of the unreachables in,
$fwcmd add pass icmp from any to any icmptypes 3,11 in via ${oif}
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001107224326.M75251>