Hi guys.. Trying to get to traceroute out of my network from the FW as well as the network, tried these entries, but none seems to work, can some one send me the correct entries.. Thnks I tried each one of them one by one, and then all of them together ACCEPT fw net icmp time-exceeded ACCEPT fw net icmp echo-request ACCEPT net fw icmp time-exceeded ACCEPT net fw icmp echo-request ACCEPT net loc icmp time-exceeded ACCEPT net loc icmp echo-request Reggie
Reginald R. Richardson (27.6.2002 9:19):>Hi guys.. > >Trying to get to traceroute out of my network from the FW as well as the >network, tried these entries, but none seems to work, can some one send >me the correct entries.. >ThnksMaybe U should use -I switch in your traceroute command to use ICMP instead of UDP, because default is UDP. man traceroute ... -I=20 Use ICMP ECHO instead of UDP datagrams. ... TimeLord> >I tried each one of them one by one, and then all of them together > >ACCEPT fw net icmp >time-exceeded >ACCEPT fw =20 net icmp >echo-request > >ACCEPT net fw =20icmp >time-exceeded >ACCEPT net fw icmp >echo-request > >ACCEPT net loc icmp >time-exceeded >ACCEPT net loc =20 icmp >echo-request > > >Reggie > >
On Thu, 27 Jun 2002, Reginald R. Richardson wrote:> Hi guys.. > > Trying to get to traceroute out of my network from the FW as well as the > network, tried these entries, but none seems to work, can some one send > me the correct entries.. > Thnks > > I tried each one of them one by one, and then all of them together > > ACCEPT fw net icmp > time-exceededTraceroute uses UDP, not ICMP. See http://www.shorewall.net/ports.htm. Something like the following should work: ACCEPT fw net udp 33434:33453 # Traceroute for a max of 20 hops BTW: Entering "traceroute" in the search window on the Shorewall home page sends you right to this information. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net