Date: Thu, 24 May 2001 15:09:54 -0700 From: steve@Watt.COM (Steve Watt) To: questions@freebsd.org Subject: Re: trouble getting traceroutes to work through stateful firewall Message-ID: <200105242209.f4OM9sE39742@wattres.Watt.COM> In-Reply-To: <20010424122948.P15476-100000@hq1.tyfon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In <20010424122948.P15476-100000@hq1.tyfon.net>, dl@tyfon.net wrote: >I've switched to stateful packetfiltering. Now traceroutes doesn't work >through the firewall anymore. I'll bet you changed something else, too... >This is the firewall rule that ipfw uses > >04000 allow ip from 10.0.0.0/24 to any keep-state in recv ed0 > >This is the rule that gets created > >04000 0 0 (T 0, # 129) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33435 >04000 0 0 (T 0, # 132) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33438 >04000 0 0 (T 0, # 134) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33436 >04000 0 0 (T 0, # 135) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33437 > >I can traceroute from the box itself but not from machines behind it. >What am I missing here? The repiles to the packets that traceroute sends out will not be UDP packets, but rather will be ICMP Time Exceeded messages. You need to make sure you let those back in to the systems you want to traceroute from. Did you change the rule set to deny all ICMP? (I made that mistake once, too!) -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105242209.f4OM9sE39742>