From owner-freebsd-questions  Mon Nov  6 15:33: 5 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.monochrome.org (monochrome.org [206.64.112.124])
	by hub.freebsd.org (Postfix) with ESMTP id 1B76437B4C5
	for <freebsd-questions@FreeBSD.ORG>; Mon,  6 Nov 2000 15:33:01 -0800 (PST)
Received: from localhost (faro [192.168.1.7])
	by mail.monochrome.org (8.9.3/8.9.3) with SMTP id SAA61502;
	Mon, 6 Nov 2000 18:31:23 -0500 (EST)
	(envelope-from chris@monochrome.org)
Date: Mon, 6 Nov 2000 18:31:23 -0500 (EST)
From: Chris Hill <chris@monochrome.org>
X-Sender: chris@localhost
To: Thomas Seck <tmseck@web.de>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: [4.1.1-stable] Problem with traceroute and ipfw
In-Reply-To: <200011061117.MAA31514@mailgate3.cinetic.de>
Message-ID: <Pine.BSF.3.96.1001106181930.44578A-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 6 Nov 2000, Thomas Seck wrote:

>  I set up a slightly modified ipfw ruleset with a default deny, based on
>  the "simple" ruleset from rc.firewall and opened udp port 33434 (the
>  default source port for traceroute I thought). [...] Each invocation
> incremented the port no. by one. 

33434 is the default *base* port number. But as far as I understand the
man page for traceroute (it's not entirely clear), the port number is
incremented for each new hop that traceroute attempts. The following
snippet of `man traceroute` seems to imply this behavior:

              Traceroute hopes that nothing
              is listening on UDP ports base to base + nhops -  1
              at  the  destination host (so an ICMP PORT_UNREACH-
              ABLE message will  be  returned  to  terminate  the
              route  tracing).

Since the default maximum nhops (number of hops) is 30, try opening up
UDP ports 33434 through 33464 and see if that doesn't fix it. 

When I was troubleshooting firewall rules recently, I found a useful
technique: do an 'ipfw zero', then the command that is giving you
trouble, then `ipfw -t show`. This will show you which rules are
blocking the packets you want to pass. 

>  Even when I invoked traceroute with -P UPD and -p 33434 the source port
>  was >35000. 

??? Sorry, this part of the question has me baffled. I assume you
actually typed UDP, not UPD  :^)

HTH...

--
Chris Hill               chris@monochrome.org
[1]    Bus error                     netscape



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message