Shorewall users - Aug 2002 - traceroute woes...

hello all,

i am still experiencing problems with traceroute. i have allowed udp ports those
with 3xxxx for udp traceroute with the suse 8 distro.

this is what i get when traceroute hits firewalls where normally the
stars/timetout gets displayed:

 4  so-2-0-0.asbnva1-hcr1.bbnplanet.net (4.25.153.49)  120 ms  120 ms  120 ms
 5  so-6-0-0.washdc3-nbr1.bbnplanet.net (4.24.11.249)  121 ms  121 ms  121 ms
 6  so-7-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.30)  121 ms  121 ms  121 ms
 7  p9-0.phlapa1-br2.bbnplanet.net (4.24.10.186)  117 ms  117 ms  117 ms
 8  p15-0.phlapa1-br1.bbnplanet.net (4.24.10.89)  117 ms  117 ms  117 ms
 9  p2-0.iplvin1-br2.bbnplanet.net (4.24.10.182)  133 ms  132 ms  132 ms
10  p15-0.iplvin1-br1.bbnplanet.net (4.24.10.153)  133 ms  132 ms  133 ms
11  so-6-0-0.chcgil2-br1.bbnplanet.net (4.24.9.57)  142 ms  135 ms  136 ms
12  so-7-0-0.chcgil2-br2.bbnplanet.net (4.24.5.218)  147 ms  135 ms  141 ms
13  so-1-0-0.dnvtco1-br2.bbnplanet.net (4.24.9.62)  163 ms  163 ms  163 ms
14  so-7-0-0.dnvtco1-br1.bbnplanet.net (4.24.11.37)  163 ms  163 ms  163 ms
15  so-1-0-0.sttlwa2-br2.bbnplanet.net (4.24.11.233)  189 ms  188 ms  188 ms
16  so-0-0-0.sttlwa1-hcr2.bbnplanet.net (4.24.11.214)  189 ms  188 ms  189 ms
17  p1-0.sttlwa1-cr2.bbnplanet.net (4.24.10.241)  189 mssendto: Operation not
permitted
traceroute: wrote www.microsoft.akadns.net 40 chars, ret=3D-1
 hades-vt.local (212.184.24.27)  0 mssendto: Operation not permitted
traceroute: wrote www.microsoft.akadns.net 40 chars, ret=3D-1
  0 ms

.....

any ideas?


thanks,
andy

Andreas Bittner schrieb:
> 
> hello all,
> 
> i am still experiencing problems with traceroute. i have allowed udp ports
those with 3xxxx for udp traceroute with the suse 8 distro.
> 
> this is what i get when traceroute hits firewalls where normally the
stars/timetout gets displayed:
> 
>  4  so-2-0-0.asbnva1-hcr1.bbnplanet.net (4.25.153.49)  120 ms  120 ms  120
ms
>  5  so-6-0-0.washdc3-nbr1.bbnplanet.net (4.24.11.249)  121 ms  121 ms  121
ms
>  6  so-7-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.30)  121 ms  121 ms  121
ms
>  7  p9-0.phlapa1-br2.bbnplanet.net (4.24.10.186)  117 ms  117 ms  117 ms
>  8  p15-0.phlapa1-br1.bbnplanet.net (4.24.10.89)  117 ms  117 ms  117 ms
>  9  p2-0.iplvin1-br2.bbnplanet.net (4.24.10.182)  133 ms  132 ms  132 ms
> 10  p15-0.iplvin1-br1.bbnplanet.net (4.24.10.153)  133 ms  132 ms  133 ms
> 11  so-6-0-0.chcgil2-br1.bbnplanet.net (4.24.9.57)  142 ms  135 ms  136 ms
> 12  so-7-0-0.chcgil2-br2.bbnplanet.net (4.24.5.218)  147 ms  135 ms  141 ms
> 13  so-1-0-0.dnvtco1-br2.bbnplanet.net (4.24.9.62)  163 ms  163 ms  163 ms
> 14  so-7-0-0.dnvtco1-br1.bbnplanet.net (4.24.11.37)  163 ms  163 ms  163 ms
> 15  so-1-0-0.sttlwa2-br2.bbnplanet.net (4.24.11.233)  189 ms  188 ms  188
ms
> 16  so-0-0-0.sttlwa1-hcr2.bbnplanet.net (4.24.11.214)  189 ms  188 ms  189
ms
> 17  p1-0.sttlwa1-cr2.bbnplanet.net (4.24.10.241)  189 mssendto: Operation
not permitted
> traceroute: wrote www.microsoft.akadns.net 40 chars, ret=-1
>  hades-vt.local (212.184.24.27)  0 mssendto: Operation not permitted
> traceroute: wrote www.microsoft.akadns.net 40 chars, ret=-1
>   0 ms
> 
> .....
> 
> any ideas?
Isn''t it the difference between DROP and REJECT? You''ll see
stars when
the other end DROPS, when they REJECT, you get ''mssendto: Operation not
permitted''.
Sorry if I''m completely wrong here...

Simon
> 
> thanks,
> andy
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users

I''m wondering something about traceroute under iptables :

Why is iptables not stealthy ?

I''m explaining :

When I do a traceroute from an outside box to a
box in DMZ, going through the linux Shorewall box
I get something like this :

traceroute to 195.132.1.10 (195.132.1.10), 30 hops max, 38 byte packets
 1  212.9.8.4  4.091 ms  1.901 ms  1.837 ms
 2  * * * (private ip address)
 3  * * * (private ip address)
 4  212.9.8.3  3.681 ms  2.750 ms  2.368 ms
 5  212.9.8.2  3.270 ms  2.494 ms  2.781 ms
 6  212.15.8.4  4.903 ms  2.641 ms  5.930 ms
 7  212.15.8.17  10.607 ms  6.941 ms 7.950 ms
 8  * * *
 9  195.132.1.10 15.554 ms 20.250 ms 18.130 ms

You see in 8 ? this is the firewall, so I know there is someting between
212.15.8.17 and
my box in DMZ 195.132.1.1.

We have a Cisco Pix and when I do the same thing to a box behind the pix :

traceroute to 195.132.1.1 (195.132.1.1), 30 hops max, 38 byte packets
 1  212.9.8.4  2.426 ms  1.791 ms  1.839 ms
 2  * * *
 3  * * *
 4  212.9.8.3  3.059 ms  6.042 ms  2.590 ms
 5  212.9.8.2  5.475 ms  5.245 ms  3.595 ms
 6  212.15.8.4  3.426 ms  4.186 ms  3.431 ms
 7  212.15.8.17  9.051 ms  6.489 ms  7.901 ms
 8 195.132.1.1 12.401 ms 20.877 ms 19.113 ms

You see between 7 and 8 ? Seems there''s nothing, but there''s a
cisco pix
firewall.

So I''m wondering if we can make the Shorewall stealthy or is it a
limitation
of iptables ?

Thanks for any clue,

Jerome Tytgat

On Tuesday 27 August 2002 12:58 am, Jerome Tytgat wrote:
> I''m wondering something about traceroute under iptables :
>
> So I''m wondering if we can make the Shorewall stealthy or is it a
> limitation of iptables ?
>
There''s no way that I can see to do this with iptables.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Andreas:

What is the range of ports that you opened??
I think your running out of ports to use, you need the have
highest port one greater than the maximum number of hops
to the target.

i.e.: 25 hops to the target, then you should have ports 33434 to
33460 (33434+26) open.
Looks to me like you have 33434-33450 (33434+16) open.
Hope it helps...

Jerry Vonau


-----Original Message-----
From:	Andreas Bittner [SMTP:bittner@rz.fh-heilbronn.de]
Sent:	Monday, August 26, 2002 02:37 PM
To:	shorewall-users@shorewall.net
Subject:	[Shorewall-users] traceroute woes...

hello all,

i am still experiencing problems with traceroute. i have allowed udp ports 
those with 3xxxx for udp traceroute with the suse 8 distro.

this is what i get when traceroute hits firewalls where normally the 
stars/timetout gets displayed:

 4  so-2-0-0.asbnva1-hcr1.bbnplanet.net (4.25.153.49)  120 ms  120 ms  120 ms
 5  so-6-0-0.washdc3-nbr1.bbnplanet.net (4.24.11.249)  121 ms  121 ms  121 ms
 6  so-7-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.30)  121 ms  121 ms  121 ms
 7  p9-0.phlapa1-br2.bbnplanet.net (4.24.10.186)  117 ms  117 ms  117 ms
 8  p15-0.phlapa1-br1.bbnplanet.net (4.24.10.89)  117 ms  117 ms  117 ms
 9  p2-0.iplvin1-br2.bbnplanet.net (4.24.10.182)  133 ms  132 ms  132 ms
10  p15-0.iplvin1-br1.bbnplanet.net (4.24.10.153)  133 ms  132 ms  133 ms
11  so-6-0-0.chcgil2-br1.bbnplanet.net (4.24.9.57)  142 ms  135 ms  136 ms
12  so-7-0-0.chcgil2-br2.bbnplanet.net (4.24.5.218)  147 ms  135 ms  141 ms
13  so-1-0-0.dnvtco1-br2.bbnplanet.net (4.24.9.62)  163 ms  163 ms  163 ms
14  so-7-0-0.dnvtco1-br1.bbnplanet.net (4.24.11.37)  163 ms  163 ms  163 ms
15  so-1-0-0.sttlwa2-br2.bbnplanet.net (4.24.11.233)  189 ms  188 ms  188 ms
16  so-0-0-0.sttlwa1-hcr2.bbnplanet.net (4.24.11.214)  189 ms  188 ms  189 ms
17  p1-0.sttlwa1-cr2.bbnplanet.net (4.24.10.241)  189 mssendto: Operation not 
permitted
traceroute: wrote www.microsoft.akadns.net 40 chars, ret=-1
 hades-vt.local (212.184.24.27)  0 mssendto: Operation not permitted
traceroute: wrote www.microsoft.akadns.net 40 chars, ret=-1
  0 ms

.....

any ideas?


thanks,
andy




_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users