Date: Wed, 25 Apr 2001 11:54:27 +1200 From: Mark Ibell <marki@paradise.net.nz> To: Dan Larsson <dl@tyfon.net> Cc: FreeBSD Questions List <questions@freebsd.org> Subject: Re: trouble getting traceroutes to work through stateful firewall Message-ID: <3AE61233.951F8A19@paradise.net.nz> References: <20010424122948.P15476-100000@hq1.tyfon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
You've got to allow icmp types 3 & 11 back in. I believe ipf's stateful engine will do this automatically. Dan Larsson wrote: > > I've switched to stateful packetfiltering. Now traceroutes doesn't work > through the firewall anymore. > > This is the firewall rule that ipfw uses > > 04000 allow ip from 10.0.0.0/24 to any keep-state in recv ed0 > > This is the rule that gets created > > 04000 0 0 (T 0, # 129) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33435 > 04000 0 0 (T 0, # 132) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33438 > 04000 0 0 (T 0, # 134) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33436 > 04000 0 0 (T 0, # 135) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33437 > > I can traceroute from the box itself but not from machines behind it. > > (This is on a FreeBSD-4.3 STABLE machine with NAT) > > What am I missing here? > > Regards > +------ > Dan Larsson | Tel: +46 8 550 120 21 > Tyfon Svenska AB | Fax: +46 8 550 120 02 > GPG and PGP keys | finger dl@hq1.tyfon.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE61233.951F8A19>