Date: Mon, 27 Nov 2000 11:37:31 -0500 From: "John W. De Boskey" <jwd@bsdwins.com> To: cjclark@alum.mit.edu Cc: Nuno Teixeira <nuno.teixeira@pt-quorum.com>, freebsd-security@FreeBSD.ORG Subject: Re: NATD: failed to write packet back (Permission denied) Message-ID: <20001127113731.A99705@bsdwins.com> In-Reply-To: <20001126113720.A70192@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Sun, Nov 26, 2000 at 11:37:21AM -0800 References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Crist J . Clark's Original Message ----- > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > Hi, > > > > I think not. Can you tell me how to add this rule to my ruleset? > > The two rules needed to get UNIX-style traceroutes to work are, > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} I've had to up the tail value of the udp port range to allow traceroute to work correctly in some instances. For instance, if I ping my home machine from freefall and I have full logging turned on, I get the following: ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33486 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33487 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 ipfw: 1400 Accept UDP 216.136.204.21:60479 ${myip}:33488 in via fxp0 ipfw: 1500 Accept ICMP:3.3 ${myip} 216.136.204.21 out via fxp0 Note the udp port number in the last request is 88. The range in the example is only 40 port numbers, but traceroute defaults to 30 hops, 3 probes max per hop. At least, that's how I read the source. -john > $fwcmd add allow icmp from any to any icmptype 3,11 in via ${oif} > > But you already have a more promiscuous rule for ICMP so that is not > needed. 'oif' is your external interface on a gateway machine. > -- > Crist J. Clark cjclark@alum.mit.edu > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001127113731.A99705>