Date: Tue, 07 Nov 2000 00:40:52 -0800 From: Kent Stewart <kstewart@urx.com> To: Thomas Seck <tmseck@web.de> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: [4.1.1-stable] Problem with traceroute and ipfw Message-ID: <3A07C014.B95BE1F1@urx.com> References: <200011070827.JAA28389@mailgate3.cinetic.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Thomas Seck wrote:
>
> Chris Hill <chris@monochrome.org> schrieb am 07.11.00:
> > On Mon, 6 Nov 2000, Thomas Seck wrote:
> >
> > 33434 is the default *base* port number. But as far as I understand the
> > man page for traceroute (it's not entirely clear), the port number is
> > incremented for each new hop that traceroute attempts. The following
> > snippet of `man traceroute` seems to imply this behavior:
>
> [...]
>
> Well the manpage did not at all clear things up.
>
> > Since the default maximum nhops (number of hops) is 30, try opening up
> > UDP ports 33434 through 33464 and see if that doesn't fix it.
> >
> > When I was troubleshooting firewall rules recently, I found a useful
> > technique: do an 'ipfw zero', then the command that is giving you
> > trouble, then `ipfw -t show`. This will show you which rules are
> > blocking the packets you want to pass.
>
> It's definitely '65535 ip deny all all', so I used
> 'ip deny log all all' as the last rule in rc.firewall and could see
> that traceroute was trying to c via ports >35000, no matter how
> I set -p. Puzzling. And these port numbers were not even close to 33434.
>
> Staring at the source did not help me out either (I did not even quite
> understand the comments :)).
>
> As I said, each subsequent invocation of traceroute increased that port no.
> by one, no matter whether -p is set.
>
> > > Even when I invoked traceroute with -P UPD and -p 33434 the source port
> > > was >35000.
> >
> > ??? Sorry, this part of the question has me baffled. I assume you
> > actually typed UDP, not UPD :^)
>
> Yep. Darn typos :)
>
> Well, I still think traceroute does work as expected and I am doing something
> extremely stupid. Has someone a working 4.1.1 ipfw setup that is allowing
> traceroute?
# TRACEROUTE - Allow outgoing, but not incoming
${fwcmd} add pass udp from any to any 33434-33523 out via ${oif}
ruby# traceroute 194.122.194.100
traceroute to 194.122.194.100 (194.122.194.100), 30 hops max, 40 byte packets
1 dynacom.net (206.159.132.129) 23.990 ms 24.806 ms 42.573 ms
2 ken-3620.dynacom.net (206.107.213.1) 37.631 ms 25.030 ms 25.404 ms
3 sl-gw2-sea-5-4.sprintlink.net (144.228.94.197) 35.081 ms
sl-gw2-sea-5-2.sprintlink.net (144.228.94.77) 42.009 ms
sl-gw2-sea-3-5-T1.sprintlink.net (144.228.94.121) 40.269 ms
4 sl-bb1-sea-12-0-0.sprintlink.net (144.228.90.1) 41.694 ms 49.351 ms
40.859 ms
5 sl-bb10-sea-0-2.sprintlink.net (144.232.6.33) 32.435 ms 53.586 ms 39.889
ms
6 sl-bb20-tac-9-0.sprintlink.net (144.232.18.41) 46.549 ms 37.566 ms 42.798
ms
7 sl-bb20-sj-8-0.sprintlink.net (144.232.9.213) 53.640 ms 64.424 ms 57.876
ms
8 sjo-edge-05.inet.qwest.net (205.171.4.9) 62.452 ms 53.474 ms 70.545 ms
9 sjo-core-03.inet.qwest.net (205.171.22.49) 63.666 ms 60.648 ms 62.378 ms
10 sjo-core-02.inet.qwest.net (205.171.22.5) 51.506 ms 62.665 ms 52.928 ms
11 hou-core-02.inet.qwest.net (205.171.5.145) 96.190 ms 103.151 ms 111.726
ms
12 hou-core-01.inet.qwest.net (205.171.23.1) 93.699 ms 94.067 ms 93.756 ms
13 wdc-core-01.inet.qwest.net (205.171.5.186) 112.599 ms 132.862 ms 118.030
ms
14 wdc-brdr-03.inet.qwest.net (205.171.24.38) 116.516 ms 111.310 ms 110.929
ms
15 Wash-cr01.DC.US.kpnqwest.net (205.171.24.114) 119.183 ms 111.698 ms
115.204 ms
16 Obl-cr01.NL.kpnqwest.net (134.222.228.25) 214.087 ms 212.544 ms 216.789
ms
17 Ffm-nr04.DE.kpnqwest.net (134.222.229.242) 320.466 ms 271.330 ms 408.462
ms
18 CORE1.frankfurt.xlink.net (134.222.19.6) 238.742 ms 239.694 ms 222.278 ms
19 CORE2.Karlsruhe.xlink.net (194.122.227.149) 231.791 ms 230.545 ms 224.752
ms
20 karlsruhe10.core.xlink.net (194.122.243.4) 237.167 ms 254.949 ms 240.757
ms
21 gw.cinetic.de (194.122.227.42) 252.363 ms 257.594 ms 242.028 ms
22 eth3.newt.cinetic.de (194.122.194.230) 239.413 ms 252.744 ms 256.379 ms
Kent
>
> --
> Regards from Germany,
> Thomas Seck
>
> _______________________________________________________________________
> 1.000.000 DM gewinnen - kostenlos tippen - http://millionenklick.web.de
> IhrName@web.de, 8MB Speicher, Verschluesselung - http://freemail.web.de
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
--
Kent Stewart
Richland, WA
mailto:kbstew99@hotmail.com
http://kstewart.urx.com/kstewart/index.html
FreeBSD News http://daily.daemonnews.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A07C014.B95BE1F1>