From owner-freebsd-security  Mon Nov  2 20:11:41 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA04498
          for freebsd-security-outgoing; Mon, 2 Nov 1998 20:11:41 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from emu.sourcee.com (emu.sourcee.com [199.201.159.173])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA04488
          for <freebsd-security@FreeBSD.ORG>; Mon, 2 Nov 1998 20:11:38 -0800 (PST)
          (envelope-from nrice@emu.sourcee.com)
Received: (from nrice@localhost)
	by emu.sourcee.com (8.9.1/8.9.1) id XAA03032;
	Mon, 2 Nov 1998 23:11:00 -0500 (EST)
Message-ID: <19981102231100.C2779@emu.sourcee.com>
Date: Mon, 2 Nov 1998 23:11:00 -0500
From: "Norman C. Rice" <nrice@emu.sourcee.com>
To: junkmale@xtra.co.nz, Darren Reed <avalon@coombs.anu.edu.au>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: IPFW problems...
References: <199810291803.HAA15509@witch.xtra.co.nz> <199811011102.AAA03077@predator.xtra.co.nz> <199811022300.MAA19467@cyclops.xtra.co.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.91.1i
In-Reply-To: <199811022300.MAA19467@cyclops.xtra.co.nz>; from Dan Langille on Tue, Nov 03, 1998 at 12:00:24PM +1300
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Nov 03, 1998 at 12:00:24PM +1300, Dan Langille wrote:
> On 1 Nov 98, at 22:02, Darren Reed wrote:
> 
> > In some mail from Dan Langille, sie said:
> > > 
> > > On 29 Oct 98, at 21:45, Darren Reed wrote:
> > > 
> > > > traceroute/UDP was fixed on the weekend last, the pc (ICMP) version
> > > > may not yet work.
> > > 
> > > OK.  Good!  Can you guess when the other version will work?
> > 
> > My testing shows "traceroute -I" to work properly with NAT.
> 
> I'm not sure what "traceroute -I" does.  I see no such option on 
> traceroute for FreeBSD 2.2.7.

Perhaps he is using the Linux version of traceroute where the
`-I' option uses ICMP ECHO instead of UDP datagrams.
-- 
Regards,
Norman C. Rice, Jr.

> 
> As for my traceroute problems, my mind is unclear.  I admit that I didn't 
> take full notes.  As such, I supply the following in the hopes that it may 
> trigger something when you read it.  If it does not, then I will reinstall 
> IP Filter and get the full story.
> 
> I'm using IP Filter 3.2.9 under FreeBSD 2.2.7 RELEASE.
> 
> I believe I was able to traceroute when using NAT and without any deny 
> rules.  When I tried to add in the example firewall rules (from 
> rules/BASIC_2.FW), I found that disabling the following rule allowed 
> traceroute to work:
> 
> block in log quick all with short
> 
> When this rule was present, traceroute did not work at all.
> 
> --
> Dan Langille
> The FreeBSD Diary
> http://www.FreeBSDDiary.com/freebsd

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message