On Tuesday 21 September 2004 12:10, Tibbs, Richard wrote: > Dear list: > I have noticed that whenever a traceroute passes through a firewall, the > hop corresponding to the firewall always shows > * * * request timed out. > > I checked with some SHorewall documentation at > http://shorewall.net/ports.htm > that indicates traceroute uses UDP -- a fact I was never aware of. > > I also saw a lot of ICMP type 11 packets being dropped from the > shorewall logs, so I added some rules to permit them. I think the docs > at the above link should also recommend ICMP type 11, as that is what > finally got the timeouts above to go away.. And, this without the rules > accepting UDP. > > So I think the above link is in error. Unless there is a different "UDP > traceroute" that I don't know of... ? >
The 'traceroute' program on any *nix system. The 'tracert' thingy on Windoze systems uses ICMP echo-request (ping). And as for the ICMP 11, the standard samples that I release on shorewall.net ALL allow outgoing ICMP from the firewall to ALL zones. So the documentation on the Shorewall site is correct. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
