Date: Tue, 9 Jan 2001 22:02:30 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: blaz <blaz@satx.rr.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: traceroute continued. Message-ID: <20010109220230.S95729@rfx-64-6-211-149.users.reflexco> In-Reply-To: <3A5B5BBE.6E471EB6@satx.rr.com>; from blaz@satx.rr.com on Tue, Jan 09, 2001 at 12:43:10PM -0600 References: <3A5B5BBE.6E471EB6@satx.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 09, 2001 at 12:43:10PM -0600, blaz wrote:
> still no luck with getting machines behind firewall to be able
> to use traceroute -- just from firewall:
It works from the firewall itself? That means all ofthe rules you need
are on the external interface. This could either be a problem with
your rules on the internal interface or natd(8) (and I believe you've
mentioned natd).
> here are all of my rules concerning this issue, maybe someone
> with a lot more experience than me can help me out..
>
> # TRACEROUTE - Allow outgoing
> ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
All of the ICMP ones look good. Is there a rule that is letting the
come in the inner interface?
If it looks like you do, start a traceroute on an internal machine and
do tcpdump(8)'s on each interface of the firewall/gateway/NAT
machine. First do,
# tcpdump -n -i if0 udp
Where if0 is really the valid name of an interface, and see where the
UDP packets are or are not getting to. If those are not getting out of
the external interface, use 'ipfw show' to find which rule is blocking
them (watch for changes in the rule counters). If it looks good, try
the same process with,
# tcpdump -n -i if0 icmp
And see if we all did not miss a problem in your ICMP rules.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010109220230.S95729>