Re: traceroute

Darren Reed Thu, 11 Mar 2004 06:13:52 -0800

In some email I received from [EMAIL PROTECTED], sie wrote:
> (concerning 4.1):
> 
> > 3. a solaris server behind the firewall could
> not traceroute outside of the network (icmp nat).
> 
> 
> This is also true of 3.4.33 - traceroute from behind
> a NAT'ed firewall quit working.   It had worked in
> 3.4.31.   Traceroute from the firewall itself still
> works even on 3.4.33.


Try this patch for 3.4.33:

Index: ip_nat.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.37.2.80
diff -u -r2.37.2.80 ip_nat.c
--- ip_nat.c    2004/02/11 15:16:22     2.37.2.80
+++ ip_nat.c    2004/03/11 13:46:52
@@ -2028,7 +2028,7 @@
                if (sumd2) {
                        sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
                        sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
-                       if (nat->nat_dir == NAT_OUTBOUND) {
+                       if (nat->nat_dir == NAT_INBOUND) {
                                fix_outcksum(fin, &icmp->icmp_cksum, sumd2);
                        } else {
                                fix_incksum(fin, &icmp->icmp_cksum, sumd2);

And for 4.1+, use this patch:

Index: ip_nat.c
===================================================================
RCS file: /devel/CVS/IP-Filter/ip_nat.c,v
retrieving revision 2.195.2.1
diff -u -r2.195.2.1 ip_nat.c
--- ip_nat.c    6 Mar 2004 14:33:03 -0000       2.195.2.1
+++ ip_nat.c    11 Mar 2004 13:47:00 -0000
@@ -2747,7 +2747,7 @@
                 *
                 * To further complicate: the TCP checksum is not in the first
                 * 8 bytes of the offending ip packet, so it most likely is not
-                * available. OSses like Solaris return enough bytes to
+                * available. Some OSses like Solaris return enough bytes to
                 * include the TCP checksum. So we have to check if the
                 * ip->ip_len actually holds the TCP checksum of the oip!
                 */
@@ -2843,7 +2843,7 @@
                                         * UDP checksum adjustment.
                                         */
                                        CALC_SUMD(sum1, sum2, sumd);
-                                       sumd2 += sumd2;
+                                       sumd2 += sumd;
                                }
 
                                /*
@@ -2870,7 +2870,7 @@
                if (sumd2 != 0) {
                        sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
                        sumd2 = (sumd2 & 0xffff) + (sumd2 >> 16);
-                       if (nat->nat_dir == NAT_OUTBOUND) {
+                       if (nat->nat_dir == NAT_INBOUND) {
                                fix_outcksum(fin, &icmp->icmp_cksum, sumd2);
                        } else {
                                fix_incksum(fin, &icmp->icmp_cksum, sumd2);

Please test with redirect rules as well as unreachable messages.

Darren

Re: traceroute

Reply via email to