Date: Tue, 9 Jan 2001 00:16:13 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: blaz <blaz@satx.rr.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: traceroute Message-ID: <20010109001612.O95729@rfx-64-6-211-149.users.reflexco> In-Reply-To: <3A5AA9B0.1A5EB35C@satx.rr.com>; from blaz@satx.rr.com on Tue, Jan 09, 2001 at 12:03:28AM -0600 References: <3A5AA9B0.1A5EB35C@satx.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 09, 2001 at 12:03:28AM -0600, blaz wrote: > greetings, > > my ipfw rules on traceroute are as follows: > > # TRACEROUTE - Allow outgoing > ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} > > my firewall is able to use traceroute, but my internal LAN is not. My > interfaces are as follows: > > # set these to your outside interface network and netmask and ip > oif="xl0" > onet="24.160.144/23" > omask="255.255.255.255" > oip="24.160.144.62" > > # set these to your inside interface network and netmask and ip > iif="xl1" > inet="192.168.2.0/24" > imask="255.255.255.0" > iip="192.168.2.1" > > any help would be greatly appreciated. You are letting the UDP packets out, but you need to let the ICMP time exceeded and port unreachable messages back in, ${fwcmd} add pass icmp from any to ${oip} icmptypes 3,11 in via ${oif} Another rule may be needed to pass them back out the internal interface, ${fwcmd} add pass icmp from any to any icmptypes 3,11 out via ${iif} Depending on how tight or loose your rules on ${iif} are already. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010109001612.O95729>