Date: Mon, 6 Nov 2000 18:31:23 -0500 (EST) From: Chris Hill <chris@monochrome.org> To: Thomas Seck <tmseck@web.de> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: [4.1.1-stable] Problem with traceroute and ipfw Message-ID: <Pine.BSF.3.96.1001106181930.44578A-100000@localhost> In-Reply-To: <200011061117.MAA31514@mailgate3.cinetic.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 6 Nov 2000, Thomas Seck wrote:
> I set up a slightly modified ipfw ruleset with a default deny, based on
> the "simple" ruleset from rc.firewall and opened udp port 33434 (the
> default source port for traceroute I thought). [...] Each invocation
> incremented the port no. by one.
33434 is the default *base* port number. But as far as I understand the
man page for traceroute (it's not entirely clear), the port number is
incremented for each new hop that traceroute attempts. The following
snippet of `man traceroute` seems to imply this behavior:
Traceroute hopes that nothing
is listening on UDP ports base to base + nhops - 1
at the destination host (so an ICMP PORT_UNREACH-
ABLE message will be returned to terminate the
route tracing).
Since the default maximum nhops (number of hops) is 30, try opening up
UDP ports 33434 through 33464 and see if that doesn't fix it.
When I was troubleshooting firewall rules recently, I found a useful
technique: do an 'ipfw zero', then the command that is giving you
trouble, then `ipfw -t show`. This will show you which rules are
blocking the packets you want to pass.
> Even when I invoked traceroute with -P UPD and -p 33434 the source port
> was >35000.
??? Sorry, this part of the question has me baffled. I assume you
actually typed UDP, not UPD :^)
HTH...
--
Chris Hill chris@monochrome.org
[1] Bus error netscape
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1001106181930.44578A-100000>