Date: Sun, 26 Nov 2000 13:43:03 -0800 From: Doug Barton <DougB@FreeBSD.org> To: cjclark@alum.mit.edu Cc: Nuno Teixeira <nuno.teixeira@pt-quorum.com>, freebsd-security@FreeBSD.org Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <3A2183E7.6039C582@FreeBSD.org> References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Crist J . Clark" wrote:
>
> On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote:
> > Hi,
> >
> > I think not. Can you tell me how to add this rule to my ruleset?
>
> The two rules needed to get UNIX-style traceroutes to work are,
>
> Sfwcmd add allow udp from any to any 33434-33474 out via ${oif}
When I do a traceroute from a freebsd machine outside my firewall to the
firewall machine, I see this:
ipfw: 1200 Deny UDP <outside machine>:38575 <firewall>:33468 in via ep0
ipfw: 1200 Deny UDP <outside machine>:38597 <firewall>:33477 in via ep0
ipfw: 1200 Deny UDP <outside machine>:38597 <firewall>:33478 in via ep0
ipfw: 1200 Deny UDP <outside machine>:38597 <firewall>:33479 in via ep0
Which supports what I've been told that unix traceroute uses udp
packets. It sounds like in order to allow traceroutes through the
firewall you have to open up a pretty big hole for udp...
Doug
--
So what I want to know is, where does the RED brick road go?
Do YOU Yahoo!?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A2183E7.6039C582>