Terry,
I don't have any experience with ipfwadm and, since my firewall uses
ipchains, I may be incorrect, but I'll take a stab at it. From what you've
posted, it looks like you are allowing everything in and out on ports 25,
110, 80 and in only on 53. Everything else would be blocked by that last
rule before accounting, including traces and pings using the first five
ports. Perhaps throwing a rule in there to allow ports 4, 3, and other
traceroute ports for the icmp protocol would let traceroute through. I
couldn't tell you what the other ports are. My firewall has some variables
set as follows:
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
and a rule allowing them out on the udp protocol. Here is the rule:
ipchains -A output -i $EXTERNAL_INTERFACE -p udp -s $IPADD \
$TRACEROUTE_SRC_PORTS -d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
I modified this script from one I found at http://linux-firewall-tools.com/,
so I don't really understand what this accomplishes. I only know that it
works. They have one there for ipfwadm also that may be a little more
helpful to you.
Good luck,
Drew
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Terry Williams
Sent: Thursday, November 16, 2000 9:20 AM
To: [EMAIL PROTECTED]
Subject: Re: Traceroute not tracing routes
Yeah I could see how that would be a problem except for I didn't change
anything and it worked the night before and for the past month. And the
machines behind it can do a traceroute fine. I use ipfwadm here is my
ruleset
#==========[Flush...All My Rules]=====================#
ipfwadm -I -f
ipfwadm -F -f
ipfwadm -O -f
ipfwadm -A -f
# Masquerade everything as coming from eth0
ipfwadm -F -a masquerade -S 192.168.100.0/255.255.255.0 -D 0/0
ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.2/32 25
ipfwadm -F -a accept -b -P tcp -S 192.168.100.2/32 25 -D 0/0 1024:65535
ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.2/32 110
ipfwadm -F -a accept -b -P tcp -S 192.168.100.2/32 110 -D 0/0 1024:65535
ipfwadm -F -a accept -b -P tcp -S 0/0 1024:65535 -D 192.168.100.2 80
ipfwadm -F -a accept -b -P tcp -S 192.168.100.2 80 -D 0/0 1024:65535
ipfwadm -F -a accept -b -P udp -S 0/0 53 -D 192.168.100.0/24
ipfwadm -F -a deny -S 0/0 -D 0/0 -o
#Accounting
/sbin/ipfwadm -A -f
/sbin/ipfwadm -A out -i -S 192.168.100.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A out -i -S 0.0.0.0/0 -D 192.168.100.0/24
/sbin/ipfwadm -A in -i -S 192.168.100.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -A in -i -S 0.0.0.0/0 -D 192.168.100.0/24
----- Original Message -----
From: "Jack Bowling" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 16, 2000 10:03 AM
Subject: Re: Traceroute not tracing routes
> ** Reply to message from "Drew Hunt" <[EMAIL PROTECTED]> on Thu, 16
> Nov 2000 06:46:08 -0700
>
>
> > I'm running RH 6.2, but have the same problem. I traced it to the
firewall,
> > having pulled it down momentarily and having the traceroute work
perfectly.
> > One of the first 5 ICMP ports has to be enabled to receive packets, not
just
> > responses with the !-y option, but I don't remember which one. I never
did
> > fix it myself because I figured it wasn't worth the first few lines of
stars
> > for the compromised stealth. I already know that they are my firewall,
the
> > cablemodem router, and my ISPs first router respectively.
>
> That would be port 0. An appropriate ipchains rule could be:
>
> ipchains -A input -i ppp0 -p icmp --dport 0 -j ACCEPT -l
>
> There may be a better way to set this up using the "--icmp-type" switch.
>
>
>
>
>
>
> Jack Bowling
> Prince George, BC
> mailto:[EMAIL PROTECTED]
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
