From owner-freebsd-security Sun Nov 26 13:43:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id B189D37B479 for ; Sun, 26 Nov 2000 13:43:28 -0800 (PST) Received: from FreeBSD.org (Studded@master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id NAA06885; Sun, 26 Nov 2000 13:43:04 -0800 (PST) (envelope-from DougB@FreeBSD.org) Message-ID: <3A2183E7.6039C582@FreeBSD.org> Date: Sun, 26 Nov 2000 13:43:03 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: Nuno Teixeira , freebsd-security@FreeBSD.org Subject: Re: NATD: failed to write packet back (Permission denied) References: <001701c057c4$1e1ac010$0200a8c0@n2> <20001126110756.C34151@149.211.6.64.reflexcom.com> <000b01c057dd$f9423ab0$0200a8c0@n2> <20001126113720.A70192@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > > On Sun, Nov 26, 2000 at 07:20:41PM -0000, Nuno Teixeira wrote: > > Hi, > > > > I think not. Can you tell me how to add this rule to my ruleset? > > The two rules needed to get UNIX-style traceroutes to work are, > > Sfwcmd add allow udp from any to any 33434-33474 out via ${oif} When I do a traceroute from a freebsd machine outside my firewall to the firewall machine, I see this: ipfw: 1200 Deny UDP :38575 :33468 in via ep0 ipfw: 1200 Deny UDP :38597 :33477 in via ep0 ipfw: 1200 Deny UDP :38597 :33478 in via ep0 ipfw: 1200 Deny UDP :38597 :33479 in via ep0 Which supports what I've been told that unix traceroute uses udp packets. It sounds like in order to allow traceroutes through the firewall you have to open up a pretty big hole for udp... Doug -- So what I want to know is, where does the RED brick road go? Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message