Andreas Bittner
2002-Aug-25 09:59 UTC
[Shorewall-users] problems with traceroute from fw to inet...
hello all, i constantly get this error, and have nowhere fund any hints to this when searching usenet..=20 traceroute to www.shorewall.net (206.124.146.177), 30 hops max, 40 byte packets 1 sendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 193.159.175.67 0 mssendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 0 mssendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 0 ms how come? i have the accept $FW net icmp echo-request in my rules file... any clues? thanks, andy
Reginald R. Richardson
2002-Aug-25 10:17 UTC
[Shorewall-users] problems with traceroute from fw to inet...
Haha...i had the same problem.. Thnks to Tom, I got the solution Simple, is that..traceroute in Linux don''t use ICMP, it uses UDP...heres the config for making tracerout work in leaf # Firewall to Internet ACCEPT fw net udp 33434:33500 =20 =20 # Internet to Firewall ACCEPT net fw udp 33434:33500 =20 This will allows for 65 hops or reply from trace route.. Traceroute in Linux uses from UDP port 33434 and up.. It worked for m, do hope it does the same for u -----Original Message----- From: Andreas Bittner [mailto:bittner@rz.fh-heilbronn.de]=20 Sent: Sunday, August 25, 2002 12:00 To: shorewall-users@shorewall.net Subject: [Shorewall-users] problems with traceroute from fw to inet... hello all, i constantly get this error, and have nowhere fund any hints to this when searching usenet..=20 traceroute to www.shorewall.net (206.124.146.177), 30 hops max, 40 byte packets 1 sendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 193.159.175.67 0 mssendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 0 mssendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 0 ms how come? i have the accept $FW net icmp echo-request in my rules file... any clues? thanks, andy _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
Andreas Bittner
2002-Aug-25 10:50 UTC
[Shorewall-users] problems with traceroute from fw to inet...
Hello there, yes i just found out that there are some different traceroute implementations out there in various linux distros.. debian still uses icmp, and you can fore it to use ICMP, whereas my suse only supports udp trace...=20 if my traceroute had -I (icmp) then i coudl have used that switch to make it work, but this way i had to add those udp ports to the rule file. thanks again, andy ----- Original Message -----=20 From: "Reginald R. Richardson" <whiz.kid@tyarosh.homeip.net> To: "Andreas Bittner" <bittner@rz.fh-heilbronn.de>; <shorewall-users@shorewall.net> Sent: Sunday, August 25, 2002 12:17 PM Subject: RE: [Shorewall-users] problems with traceroute from fw to inet... Haha...i had the same problem.. Thnks to Tom, I got the solution Simple, is that..traceroute in Linux don''t use ICMP, it uses UDP...heres the config for making tracerout work in leaf # Firewall to Internet ACCEPT fw net udp 33434:33500 =20 =20 # Internet to Firewall ACCEPT net fw udp 33434:33500 =20 This will allows for 65 hops or reply from trace route.. Traceroute in Linux uses from UDP port 33434 and up.. It worked for m, do hope it does the same for u -----Original Message----- From: Andreas Bittner [mailto:bittner@rz.fh-heilbronn.de]=20 Sent: Sunday, August 25, 2002 12:00 To: shorewall-users@shorewall.net Subject: [Shorewall-users] problems with traceroute from fw to inet... hello all, i constantly get this error, and have nowhere fund any hints to this when searching usenet..=20 traceroute to www.shorewall.net (206.124.146.177), 30 hops max, 40 byte packets 1 sendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 193.159.175.67 0 mssendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 0 mssendto: Operation not permitted traceroute: wrote www.shorewall.net 40 chars, ret=3D-1 0 ms how come? i have the accept $FW net icmp echo-request in my rules file... any clues? thanks, andy _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users