From owner-freebsd-questions Tue Nov 7 22:43:36 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id F343137B479 for ; Tue, 7 Nov 2000 22:43:32 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 7 Nov 2000 22:42:04 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eA86hQ779380; Tue, 7 Nov 2000 22:43:26 -0800 (PST) (envelope-from cjc) Date: Tue, 7 Nov 2000 22:43:26 -0800 From: "Crist J . Clark" To: Kent Stewart Cc: Thomas Seck , freebsd-questions@FreeBSD.ORG Subject: Re: [4.1.1-stable] Problem with traceroute and ipfw Message-ID: <20001107224326.M75251@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <200011070827.JAA28389@mailgate3.cinetic.de> <3A07C014.B95BE1F1@urx.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A07C014.B95BE1F1@urx.com>; from kstewart@urx.com on Tue, Nov 07, 2000 at 12:40:52AM -0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Nov 07, 2000 at 12:40:52AM -0800, Kent Stewart wrote: > Thomas Seck wrote: [snip] > > Well, I still think traceroute does work as expected and I am doing something > > extremely stupid. Has someone a working 4.1.1 ipfw setup that is allowing > > traceroute? > > > # TRACEROUTE - Allow outgoing, but not incoming > ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} That rule is not enough. You need to let out the UDP packets, but then you need to let the ICMP responses back in. Specifically, you need to allow the 'time exceeded in transit' (type 11, code 0) and 'port unreachable' (type 3, code 3) messages. Actually, I'd just let both types of time exceeded through and all of the unreachables in, $fwcmd add pass icmp from any to any icmptypes 3,11 in via ${oif} -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message