From owner-freebsd-security Mon Nov 27 8:38:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdone.bsdwins.com (www.bsdwins.com [192.58.184.33]) by hub.freebsd.org (Postfix) with ESMTP id 466BB37B479 for ; Mon, 27 Nov 2000 08:38:54 -0800 (PST) Received: (from jwd@localhost) by bsdone.bsdwins.com (8.11.0/8.11.0) id eARGbVL00252; Mon, 27 Nov 2000 11:37:31 -0500 (EST) (envelope-from jwd) Date: Mon, 27 Nov 2000 11:37:31 -0500 From: "John W. De Boskey" To: cjclark@alum.mit.edu Cc: Nuno Teixeira , freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001127113731.A99705@bsdwins.com> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001126113720.A70192@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Sun, Nov 26, 2000 at 11:37:21AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Crist J . Clark's Original Message ----- > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > Hi, > > > > I think not. Can you tell me how to add this rule to my ruleset? > > The two rules needed to get UNIX-style traceroutes to work are, > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} I've had to up the tail value of the udp port range to allow traceroute to work correctly in some instances. For instance, if I ping my home machine from freefall and I have full logging turned on, I get the following: ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33486 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33487 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33488 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 Note the udp port number in the last request is 88. The range in the example is only 40 port numbers, but traceroute defaults to 30 hops, 3 probes max per hop. At least, that's how I read the source. -john > $fwcmd add allow icmp from any to any icmptype 3,11 in via ${oif} > > But you already have a more promiscuous rule for ICMP so that is not > needed. 'oif' is your external interface on a gateway machine. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message