allowing internal machines to traceroute
Michael Sierchio
kudzu at tenebras.com
Mon Jul 21 12:34:07 PDT 2003
Dennis B. Hopp wrote:
> I have setup a freebsd machine to act as a firewall/NAT device. NAT is
> working fine and the firewall is working but I'm having trouble allowing
> internal machines to do traceroutes.
I'm exceeding tired of reading firewall rulesets, so I'll just give you
a tutorial on traceroute. Traceroute (by default) sends UDP packets
with a TTL of (in succession) 1, 2, ... etc. and generates ICMP error
messages in response (TTL exceeded in transit). The assumption is that all the
packets take the same route, which might even be true.
allow outbound UDP to ports 33434-33599 from your internal hosts
allow ICMP type 11 to your internal hosts
More information about the freebsd-ipfw
mailing list