From owner-freebsd-questions Thu May 24 15: 9:57 2001 Delivered-To: freebsd-questions@freebsd.org Received: from wattres.Watt.COM (wattres.watt.com [205.178.120.6]) by hub.freebsd.org (Postfix) with ESMTP id DD08537B423 for ; Thu, 24 May 2001 15:09:54 -0700 (PDT) (envelope-from steve@Watt.COM) Received: (from steve@localhost) by wattres.Watt.COM (8.11.3/8.11.3) id f4OM9sE39742 for questions@freebsd.org; Thu, 24 May 2001 15:09:54 -0700 (PDT) (envelope-from steve) Message-Id: <200105242209.f4OM9sE39742@wattres.Watt.COM> In-Reply-To: <20010424122948.P15476-100000@hq1.tyfon.net> Organization: Watt Consultants, San Jose, CA, USA From: steve@Watt.COM (Steve Watt) Date: Thu, 24 May 2001 15:09:54 -0700 X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: questions@freebsd.org Subject: Re: trouble getting traceroutes to work through stateful firewall Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In <20010424122948.P15476-100000@hq1.tyfon.net>, dl@tyfon.net wrote: >I've switched to stateful packetfiltering. Now traceroutes doesn't work >through the firewall anymore. I'll bet you changed something else, too... >This is the firewall rule that ipfw uses > >04000 allow ip from 10.0.0.0/24 to any keep-state in recv ed0 > >This is the rule that gets created > >04000 0 0 (T 0, # 129) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33435 >04000 0 0 (T 0, # 132) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33438 >04000 0 0 (T 0, # 134) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33436 >04000 0 0 (T 0, # 135) ty 0 udp, 10.0.0.233 44889 <-> 216.136.204.21 33437 > >I can traceroute from the box itself but not from machines behind it. >What am I missing here? The repiles to the packets that traceroute sends out will not be UDP packets, but rather will be ICMP Time Exceeded messages. You need to make sure you let those back in to the systems you want to traceroute from. Did you change the rule set to deny all ICMP? (I made that mistake once, too!) -- Steve Watt KD6GGD PP-ASEL-IA ICBM: 121W 56' 57.8" / 37N 20' 14.9" Internet: steve @ Watt.COM Whois: SW32 Free time? There's no such thing. It just comes in varying prices... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message