On Tue, 30 Jul 2002, [EMAIL PROTECTED] wrote:
> >>
>
> >> Microsoft traceroute uses icmp whereas unix traceroute tends to use udp
>
I can't reproduce the problem with MS tracert either.
Tracing route to animal.blarg.net [206.124.128.1]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms gateway.shorewall.net [192.168.1.254]
2 22 ms 22 ms 25 ms atm02.sea.blarg.net [206.124.128.31]
3 25 ms 24 ms 26 ms animal.blarg.net [206.124.128.1]
Trace complete.
MS tracert appears to just be using ICMP echo-request (ping) packets. It
starts out with TTL=1 and increases. I've tested using both Windows XP and
Windows ME.
>
> As to making the traceroute from microsoft work, I am pretty sure it
> involves some icmp rule being added, not sure what though. But default
> bering only allows icmp type 8
Please see /etc/shorewall/icmp.def for a list of the ICMP messages passed
by the default Bering configuration. And remember that icmp.def, like
common/common.def only get used when the applicable policy is DROP or
REJECT. If the policy is ACCEPT, then ALL traffic is passed.
Dan -- the only thing that I can see that would cause the problem that you
are seeing is if the firewall is blocking fw->loc time exceeded ICMP
packets. The icmp.def file that I release definitely allows those through.
And since the packet is related to a loc->net "ping" request, it should be
passed unconditionally.
Here's what the tracert run above generates on the loc<->FW segment:
07:31:28.378156 192.168.1.5 > 206.124.128.1: icmp: echo request [ttl 1]
07:31:28.378332 192.168.1.254 > 192.168.1.5: icmp: time exceeded
in-transit [tos 0xc0]
07:31:28.381450 192.168.1.5 > 206.124.128.1: icmp: echo request [ttl 1]
07:31:28.381559 192.168.1.254 > 192.168.1.5: icmp: time exceeded
in-transit [tos 0xc0]
07:31:28.382612 192.168.1.5 > 206.124.128.1: icmp: echo request [ttl 1]
07:31:28.382718 192.168.1.254 > 192.168.1.5: icmp: time exceeded
in-transit [tos 0xc0]
07:31:29.378859 192.168.1.5 > 206.124.128.1: icmp: echo request
07:31:29.408235 206.124.128.31 > 192.168.1.5: icmp: time exceeded
in-transit [tos 0xc0]
07:31:29.409029 192.168.1.5 > 206.124.128.1: icmp: echo request
07:31:29.433342 206.124.128.31 > 192.168.1.5: icmp: time exceeded
in-transit [tos 0xc0]
07:31:29.434174 192.168.1.5 > 206.124.128.1: icmp: echo request
07:31:29.470638 206.124.128.31 > 192.168.1.5: icmp: time exceeded
in-transit [tos 0xc0]
07:31:30.440366 192.168.1.5 > 206.124.128.1: icmp: echo request
07:31:30.475732 206.124.128.1 > 192.168.1.5: icmp: echo reply
07:31:30.476792 192.168.1.5 > 206.124.128.1: icmp: echo request
07:31:30.505624 206.124.128.1 > 192.168.1.5: icmp: echo reply
07:31:30.506244 192.168.1.5 > 206.124.128.1: icmp: echo request
07:31:30.534502 206.124.128.1 > 192.168.1.5: icmp: echo reply
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
