allowing internal machines to traceroute

[Dennis B. Hopp]

I have setup a freebsd machine to act as a firewall/NAT device.  NAT is
working fine and the firewall is working but I'm having trouble allowing
internal machines to do traceroutes.

Pings work fine but traceroutes die at the freebsd machine.  My
firewall.rules file contains:

#stop spoofing
add 00010 deny log all from 192.168.1.0/24 to any in via fxp0

# Stop RFC1918 nets on the outside interface
add 00020 deny log all from any to 10.0.0.0/8 via fxp0
add 00030 deny log all from any to 172.16.0.0/12 via fxp0
add 00040 deny log all from any to 192.168.0.0/16 via fxp0

add 00100 divert 8668 ip from any to any via fxp0
add 00110 deny log ip from 192.168.1.0/24 to any in recv fxp0
add 00120 deny log ip from 207.241.136.0/24 to any in recv fxp1

#Stop RFC1918 at the outside interface both from being received and being
sent:
add 00150 deny log ip from 192.168.0.0/16 to any in recv fxp0
add 00150 deny log ip from any to 192.168.0.0/16 out xmit fxp0
add 00150 deny log ip from 172.16.0.0/12 to any in recv fxp0
add 00150 deny log ip from any to 172.16.0.0/12 out xmit fxp0
add 00150 deny log ip from 10.0.0.0/8 to any in recv fxp0
add 00150 deny log ip from any to 10.0.0.0/8 out xmit fxp0

add 00200 check-state
add 00201 allow ip from any to any via lo0
add 00202 deny log ip from any to 127.0.0.0/8
add 00203 deny log ip from 127.0.0.0/8 to any
add 00215 allow tcp from any to any established
add 00216 allow tcp from <external ip> to any out xmit fxp0 setup
add 00217 allow tcp from 192.168.1.0/24 to any in recv fxp1 setup
add 00218 allow udp from <external ip> to any out xmit fxp0 keep-state
add 00219 allow udp from 192.168.1.0/24 to any in recv fxp1 keep-state
add 00235 allow icmp from 192.168.1.0/24 to any keep-state via fxp1
add 00236 allow icmp from 207.241.136.9 to any keep-state out via fxp0

add 00640 allow tcp from any to any 22 out via fxp0 setup keep-state

Any ideas?

--Dennis