From owner-freebsd-questions Tue Nov 7 0:41: 0 2000 Delivered-To: freebsd-questions@freebsd.org Received: from 2711.dynacom.net (2711.dynacom.net [206.107.213.3]) by hub.freebsd.org (Postfix) with ESMTP id 7D45E37B4C5 for ; Tue, 7 Nov 2000 00:40:55 -0800 (PST) Received: from urx.com (dsl1-160.dynacom.net [206.159.132.160]) by 2711.dynacom.net (Build 101 8.9.3/NT-8.9.3) with ESMTP id AAA02110; Tue, 07 Nov 2000 00:40:52 -0800 Message-ID: <3A07C014.B95BE1F1@urx.com> Date: Tue, 07 Nov 2000 00:40:52 -0800 From: Kent Stewart Reply-To: kstewart@urx.com Organization: Dynacom X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Thomas Seck Cc: freebsd-questions@FreeBSD.ORG Subject: Re: [4.1.1-stable] Problem with traceroute and ipfw References: <200011070827.JAA28389@mailgate3.cinetic.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thomas Seck wrote: > > Chris Hill schrieb am 07.11.00: > > On Mon, 6 Nov 2000, Thomas Seck wrote: > > > > 33434 is the default *base* port number. But as far as I understand the > > man page for traceroute (it's not entirely clear), the port number is > > incremented for each new hop that traceroute attempts. The following > > snippet of `man traceroute` seems to imply this behavior: > > [...] > > Well the manpage did not at all clear things up. > > > Since the default maximum nhops (number of hops) is 30, try opening up > > UDP ports 33434 through 33464 and see if that doesn't fix it. > > > > When I was troubleshooting firewall rules recently, I found a useful > > technique: do an 'ipfw zero', then the command that is giving you > > trouble, then `ipfw -t show`. This will show you which rules are > > blocking the packets you want to pass. > > It's definitely '65535 ip deny all all', so I used > 'ip deny log all all' as the last rule in rc.firewall and could see > that traceroute was trying to c via ports >35000, no matter how > I set -p. Puzzling. And these port numbers were not even close to 33434. > > Staring at the source did not help me out either (I did not even quite > understand the comments :)). > > As I said, each subsequent invocation of traceroute increased that port no. > by one, no matter whether -p is set. > > > > Even when I invoked traceroute with -P UPD and -p 33434 the source port > > > was >35000. > > > > ??? Sorry, this part of the question has me baffled. I assume you > > actually typed UDP, not UPD :^) > > Yep. Darn typos :) > > Well, I still think traceroute does work as expected and I am doing something > extremely stupid. Has someone a working 4.1.1 ipfw setup that is allowing > traceroute? # TRACEROUTE - Allow outgoing, but not incoming ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ruby# traceroute 194.122.194.100 traceroute to 194.122.194.100 (194.122.194.100), 30 hops max, 40 byte packets 1 dynacom.net (206.159.132.129) 23.990 ms 24.806 ms 42.573 ms 2 ken-3620.dynacom.net (206.107.213.1) 37.631 ms 25.030 ms 25.404 ms 3 sl-gw2-sea-5-4.sprintlink.net (144.228.94.197) 35.081 ms sl-gw2-sea-5-2.sprintlink.net (144.228.94.77) 42.009 ms sl-gw2-sea-3-5-T1.sprintlink.net (144.228.94.121) 40.269 ms 4 sl-bb1-sea-12-0-0.sprintlink.net (144.228.90.1) 41.694 ms 49.351 ms 40.859 ms 5 sl-bb10-sea-0-2.sprintlink.net (144.232.6.33) 32.435 ms 53.586 ms 39.889 ms 6 sl-bb20-tac-9-0.sprintlink.net (144.232.18.41) 46.549 ms 37.566 ms 42.798 ms 7 sl-bb20-sj-8-0.sprintlink.net (144.232.9.213) 53.640 ms 64.424 ms 57.876 ms 8 sjo-edge-05.inet.qwest.net (205.171.4.9) 62.452 ms 53.474 ms 70.545 ms 9 sjo-core-03.inet.qwest.net (205.171.22.49) 63.666 ms 60.648 ms 62.378 ms 10 sjo-core-02.inet.qwest.net (205.171.22.5) 51.506 ms 62.665 ms 52.928 ms 11 hou-core-02.inet.qwest.net (205.171.5.145) 96.190 ms 103.151 ms 111.726 ms 12 hou-core-01.inet.qwest.net (205.171.23.1) 93.699 ms 94.067 ms 93.756 ms 13 wdc-core-01.inet.qwest.net (205.171.5.186) 112.599 ms 132.862 ms 118.030 ms 14 wdc-brdr-03.inet.qwest.net (205.171.24.38) 116.516 ms 111.310 ms 110.929 ms 15 Wash-cr01.DC.US.kpnqwest.net (205.171.24.114) 119.183 ms 111.698 ms 115.204 ms 16 Obl-cr01.NL.kpnqwest.net (134.222.228.25) 214.087 ms 212.544 ms 216.789 ms 17 Ffm-nr04.DE.kpnqwest.net (134.222.229.242) 320.466 ms 271.330 ms 408.462 ms 18 CORE1.frankfurt.xlink.net (134.222.19.6) 238.742 ms 239.694 ms 222.278 ms 19 CORE2.Karlsruhe.xlink.net (194.122.227.149) 231.791 ms 230.545 ms 224.752 ms 20 karlsruhe10.core.xlink.net (194.122.243.4) 237.167 ms 254.949 ms 240.757 ms 21 gw.cinetic.de (194.122.227.42) 252.363 ms 257.594 ms 242.028 ms 22 eth3.newt.cinetic.de (194.122.194.230) 239.413 ms 252.744 ms 256.379 ms Kent > > -- > Regards from Germany, > Thomas Seck > > _______________________________________________________________________ > 1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de > IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://kstewart.urx.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message