From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 21 12:25:22 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D301637B401 for ; Mon, 21 Jul 2003 12:25:22 -0700 (PDT) Received: from mail.coreps.com (www.coreps.com [207.241.137.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DC7E43F93 for ; Mon, 21 Jul 2003 12:25:22 -0700 (PDT) (envelope-from dhopp@coreps.com) Received: from dennis (dhopp.michix.net [207.241.136.9]) by mail.coreps.com (Postfix) with SMTP id 453BF3F9E for ; Mon, 21 Jul 2003 15:29:23 -0500 (EST) Message-ID: <01ab01c34fbd$d6d01440$0201a8c0@dennis> From: "Dennis B. Hopp" To: Date: Mon, 21 Jul 2003 15:25:26 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: allowing internal machines to traceroute X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2003 19:25:23 -0000 I have setup a freebsd machine to act as a firewall/NAT device. NAT is working fine and the firewall is working but I'm having trouble allowing internal machines to do traceroutes. Pings work fine but traceroutes die at the freebsd machine. My firewall.rules file contains: #stop spoofing add 00010 deny log all from 192.168.1.0/24 to any in via fxp0 # Stop RFC1918 nets on the outside interface add 00020 deny log all from any to 10.0.0.0/8 via fxp0 add 00030 deny log all from any to 172.16.0.0/12 via fxp0 add 00040 deny log all from any to 192.168.0.0/16 via fxp0 add 00100 divert 8668 ip from any to any via fxp0 add 00110 deny log ip from 192.168.1.0/24 to any in recv fxp0 add 00120 deny log ip from 207.241.136.0/24 to any in recv fxp1 #Stop RFC1918 at the outside interface both from being received and being sent: add 00150 deny log ip from 192.168.0.0/16 to any in recv fxp0 add 00150 deny log ip from any to 192.168.0.0/16 out xmit fxp0 add 00150 deny log ip from 172.16.0.0/12 to any in recv fxp0 add 00150 deny log ip from any to 172.16.0.0/12 out xmit fxp0 add 00150 deny log ip from 10.0.0.0/8 to any in recv fxp0 add 00150 deny log ip from any to 10.0.0.0/8 out xmit fxp0 add 00200 check-state add 00201 allow ip from any to any via lo0 add 00202 deny log ip from any to 127.0.0.0/8 add 00203 deny log ip from 127.0.0.0/8 to any add 00215 allow tcp from any to any established add 00216 allow tcp from to any out xmit fxp0 setup add 00217 allow tcp from 192.168.1.0/24 to any in recv fxp1 setup add 00218 allow udp from to any out xmit fxp0 keep-state add 00219 allow udp from 192.168.1.0/24 to any in recv fxp1 keep-state add 00235 allow icmp from 192.168.1.0/24 to any keep-state via fxp1 add 00236 allow icmp from 207.241.136.9 to any keep-state out via fxp0 add 00640 allow tcp from any to any 22 out via fxp0 setup keep-state Any ideas? --Dennis