Date: Mon, 27 Nov 2000 11:37:31 -0500 From: "John W. De Boskey" <jwd@bsdwins.com> To: cjclark@alum.mit.edu Cc: Nuno Teixeira <nuno.teixeira@pt-quorum.com>, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001127113731.A99705@bsdwins.com> In-Reply-To: <20001126113720.A70192@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Sun, Nov 26, 2000 at 11:37:21AM -0800 References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Crist J . Clark's Original Message -----
> On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote:
> > Hi,
> >
> > I think not. Can you tell me how to add this rule to my ruleset?
>
> The two rules needed to get UNIX-style traceroutes to work are,
>
> Sfwcmd add allow udp from any to any 33434-33474 out via ${oif}
I've had to up the tail value of the udp port range to allow
traceroute to work correctly in some instances.
For instance, if I ping my home machine from freefall and I have
full logging turned on, I get the following:
ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33486 in via fxp0
ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0
ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33487 in via fxp0
ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0
ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33488 in via fxp0
ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0
Note the udp port number in the last request is 88.
The range in the example is only 40 port numbers, but traceroute
defaults to 30 hops, 3 probes max per hop. At least, that's how
I read the source.
-john
> $fwcmd add allow icmp from any to any icmptype 3,11 in via ${oif}
>
> But you already have a more promiscuous rule for ICMP so that is not
> needed. 'oif' is your external interface on a gateway machine.
> --
> Crist J. Clark cjclark@alum.mit.edu
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001127113731.A99705>