Hi, Is there a good way to enable traceroutes from behind a shorewall firewall? Thanks, Ted Leung
On Wednesday 23 January 2002 06:00 pm, Ted Leung wrote:> Hi, > > Is there a good way to enable traceroutes from behind a shorewall > firewall? >If you are running traceroute from a system is zone z1 and the target of the=20 traceroute is in zone z2 then: ACCEPT=09z1=09z2=09udp=09traceroute -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> On Wednesday 23 January 2002 06:00 pm, Ted Leung wrote: > > Hi, > > > > Is there a good way to enable traceroutes from behind a shorewall > > firewall? > > > > If you are running traceroute from a system is zone z1 and the target of the > traceroute is in zone z2 then: > > ACCEPT z1 z2 udp tracerouteThis doesn''t work for me on Red Hat 7.1. It seems to need: ACCEPT z1 z2 udp 33400:33599 or something thereabouts. Paul http://paulgear.webhop.net
On Thursday 24 January 2002 02:55 am, Paul Gear wrote:> Tom Eastep wrote: > > On Wednesday 23 January 2002 06:00 pm, Ted Leung wrote: > > > Hi, > > > > > > Is there a good way to enable traceroutes from behind a shorewall > > > firewall? > > > > If you are running traceroute from a system is zone z1 and the target of > > the traceroute is in zone z2 then: > > > > ACCEPT z1 z2 udp traceroute > > This doesn''t work for me on Red Hat 7.1. It seems to need: > ACCEPT z1 z2 udp 33400:33599 > or something thereabouts.Thanks, Paul.. -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thursday 24 January 2002 02:55 am, Paul Gear wrote:> Tom Eastep wrote: > > On Wednesday 23 January 2002 06:00 pm, Ted Leung wrote: > > > Hi, > > > > > > Is there a good way to enable traceroutes from behind a shorewall > > > firewall? > > > > If you are running traceroute from a system is zone z1 and the target of > > the traceroute is in zone z2 then: > > > > ACCEPT z1 z2 udp traceroute > > This doesn''t work for me on Red Hat 7.1. It seems to need: > ACCEPT z1 z2 udp 33400:33599 > or something thereabouts. >=46rom the man page, it appears that you need to open UDP ports 33434:(33434 +=20 number of hops - 1). -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I have a dumb question but I haven''t been able to find the answer anywhere in=20 the documentation. Is it permissable/possible to add comments to the end of the lines in the=20 configuration files, particularly the proxyarp and masq files. --Richard --=20 Richard B. Pyne Software Engineer ShopSite, Inc.
On Thursday 24 January 2002 01:46 pm, Richard Pyne wrote:> I have a dumb question but I haven''t been able to find the answer anywhere > in the documentation. > > Is it permissable/possible to add comments to the end of the lines in the > configuration files, particularly the proxyarp and masq files. >Not currently.... -Tom --=20 Tom Eastep \ A Firewall for Linux 2.4.* AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net