From owner-freebsd-questions Tue Jan 9 0:16:31 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 6F77637B400 for ; Tue, 9 Jan 2001 00:16:14 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 9 Jan 2001 00:14:32 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id f098GDB84013; Tue, 9 Jan 2001 00:16:13 -0800 (PST) (envelope-from cjc) Date: Tue, 9 Jan 2001 00:16:13 -0800 From: "Crist J. Clark" To: blaz Cc: freebsd-questions@FreeBSD.ORG Subject: Re: traceroute Message-ID: <20010109001612.O95729@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <3A5AA9B0.1A5EB35C@satx.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A5AA9B0.1A5EB35C@satx.rr.com>; from blaz@satx.rr.com on Tue, Jan 09, 2001 at 12:03:28AM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 09, 2001 at 12:03:28AM -0600, blaz wrote: > greetings, > > my ipfw rules on traceroute are as follows: > > # TRACEROUTE - Allow outgoing > ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} > > my firewall is able to use traceroute, but my internal LAN is not. My > interfaces are as follows: > > # set these to your outside interface network and netmask and ip > oif="xl0" > onet="24.160.144/23" > omask="255.255.255.255" > oip="24.160.144.62" > > # set these to your inside interface network and netmask and ip > iif="xl1" > inet="192.168.2.0/24" > imask="255.255.255.0" > iip="192.168.2.1" > > any help would be greatly appreciated. You are letting the UDP packets out, but you need to let the ICMP time exceeded and port unreachable messages back in, ${fwcmd} add pass icmp from any to ${oip} icmptypes 3,11 in via ${oif} Another rule may be needed to pass them back out the internal interface, ${fwcmd} add pass icmp from any to any icmptypes 3,11 out via ${iif} Depending on how tight or loose your rules on ${iif} are already. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message