From owner-freebsd-questions@FreeBSD.ORG Thu Mar 7 21:00:26 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id CC9BEA19 for ; Thu, 7 Mar 2013 21:00:26 +0000 (UTC) (envelope-from martin@x.it.okstate.edu) Received: from x.it.okstate.edu (x.it.okstate.edu [139.78.2.13]) by mx1.freebsd.org (Postfix) with ESMTP id A6152290 for ; Thu, 7 Mar 2013 21:00:26 +0000 (UTC) Received: from x.it.okstate.edu (localhost [127.0.0.1]) by x.it.okstate.edu (8.14.5/8.14.5) with ESMTP id r27KbWsE004345 for ; Thu, 7 Mar 2013 14:37:32 -0600 (CST) (envelope-from martin@x.it.okstate.edu) Message-Id: <201303072037.r27KbWsE004345@x.it.okstate.edu> From: Martin McCormick cc: freebsd-questions@freebsd.org Subject: Revisiting Traceroute Through ipfw FreeBSD9.x Date: Thu, 07 Mar 2013 14:37:32 -0600 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Mar 2013 21:00:26 -0000 I immediately found several plausible examples of what to put in the firewall rules file and the following rules were set just after the local loopback address: ip="139.78.2.13" setup_loopback # Allow traceroute to function, but not to get in. ${fwcmd} add unreach port udp from any to ${ip} 33435-33524 # Allow some inbound icmps - echo reply, dest unreach, source quench, # echo, ttl exceeded. ${fwcmd} add allow icmp from any to any icmptypes 0,3,4,8,11 My thanks to previous posters for these rules. I still, however only get *traceroute: sendto: Permission denied traceroute: wrote 192.168.1.125 52 chars, ret=-1 I also did try: sysctl net.inet.udp.blackhole=0 then 1 and even 2 with no change. What else should I look at? The firewall rules are otherwise working as they should. Thank you. Martin McCormick