From owner-freebsd-questions Tue Apr 24 16:54:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from deborah.paradise.net.nz (deborah.paradise.net.nz [203.96.152.32]) by hub.freebsd.org (Postfix) with ESMTP id 254CA37B422 for ; Tue, 24 Apr 2001 16:54:44 -0700 (PDT) (envelope-from marki@paradise.net.nz) Received: from paradise.net.nz (203-79-68-202.apx0.paradise.net.nz [203.79.68.202]) by deborah.paradise.net.nz (8.11.3/8.11.3) with ESMTP id f3ONsVU06347; Wed, 25 Apr 2001 11:54:31 +1200 (NZST) Message-ID: <3AE61233.951F8A19@paradise.net.nz> Date: Wed, 25 Apr 2001 11:54:27 +1200 From: Mark Ibell X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dan Larsson Cc: FreeBSD Questions List Subject: Re: trouble getting traceroutes to work through stateful firewall References: <20010424122948.P15476-100000@hq1.tyfon.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG You've got to allow icmp types 3 & 11 back in. I believe ipf's stateful engine will do this automatically. Dan Larsson wrote: > > I've switched to stateful packetfiltering. Now traceroutes doesn't work > through the firewall anymore. > > This is the firewall rule that ipfw uses > > 04000 allow ip from 10.0.0.0/24 to any keep-state in recv ed0 > > This is the rule that gets created > > 04000 0 0 (T 0, # 129) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33435 > 04000 0 0 (T 0, # 132) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33438 > 04000 0 0 (T 0, # 134) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33436 > 04000 0 0 (T 0, # 135) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33437 > > I can traceroute from the box itself but not from machines behind it. > > (This is on a FreeBSD-4.3 STABLE machine with NAT) > > What am I missing here? > > Regards > +------ > Dan Larsson | Tel: +46 8 550 120 21 > Tyfon Svenska AB | Fax: +46 8 550 120 02 > GPG and PGP keys | finger dl@hq1.tyfon.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message