How do I allow traceroute to reach my server? Pings work fine but traceroute stops at the last hop before my server. If I shut off the firewall it reaches it fine. PING danicar.net (24.222.246.120): 56 data bytes 64 bytes from 24.222.246.120: icmp_seq=0 ttl=237 time=104.0 ms 64 bytes from 24.222.246.120: icmp_seq=1 ttl=237 time=74.9 ms 64 bytes from 24.222.246.120: icmp_seq=2 ttl=237 time=90.6 ms --- danicar.net ping statistics --- 4 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 74.9/89.8/104.0 ms root@jabber:/home/jgofton# traceroute danicar.net traceroute to danicar.net (24.222.246.120), 30 hops max, 38 byte packets 1 halifax-cr-gw1.infointeractive.com (10.142.0.254) 1.195 ms 1.120 ms 1.046 ms 2 bis-i002.mtt.net (207.34.24.1) 2.181 ms 1.902 ms 1.863 ms 3 142.177.141.121 (142.177.141.121) 2.979 ms 3.979 ms 2.794 ms 4 142.166.182.130 (142.166.182.130) 5.875 ms 4.464 ms 3.062 ms 5 alnb-cr01-pos4-0.aliant.ca (142.166.181.1) 9.208 ms 7.972 ms 7.960 ms 6 dis11-montreal02-pos1-0.in.bellnexxia.net (206.108.111.165) 27.128 ms 23.892 ms 23.672 ms 7 core3-montreal02-pos6-1.in.bellnexxia.net (206.108.99.165) 24.272 ms 24.047 ms 23.855 ms 8 bx2-montreal02-pos5-0.in.bellnexxia.net (206.108.107.58) 24.065 ms 24.082 ms 23.938 ms 9 if-8-0.core2.Montreal.Teleglobe.net (207.45.204.45) 24.131 ms 28.688 ms 23.979 ms 10 if-5-0.core1.Montreal.Teleglobe.net (64.86.81.161) 31.982 ms 32.135 ms 31.871 ms 11 if-2-0.core2.NewYork.Teleglobe.net (64.86.83.226) 31.661 ms 35.130 ms 31.761 ms 12 if-4-0.bb8.NewYork.Teleglobe.net (66.110.8.130) 31.131 ms 31.034 ms 31.048 ms 13 ix-8-0-1.bb8.NewYork.Teleglobe.net (207.45.198.74) 31.546 ms 33.218 ms 31.736 ms 14 0.so-6-1-0.XL1.NYC9.ALTER.NET (152.63.22.226) 31.961 ms 31.568 ms 31.547 ms 15 0.so-4-0-0.TL1.NYC9.ALTER.NET (152.63.0.173) 31.841 ms 32.723 ms 31.477 ms 16 0.so-7-0-0.TL1.MTL1.ALTER.NET (152.63.0.89) 39.409 ms 39.510 ms 39.462 ms 17 0.so-7-0-0.XL1.MTL1.ALTER.NET (152.63.133.65) 39.581 ms 39.574 ms 39.477 ms 18 0.so-3-0-0.XR1.MTL1.ALTER.NET (152.63.133.46) 43.298 ms 43.748 ms 39.476 ms 19 193.ATM7-0.GW2.HFX1.ALTER .NET (152.63.132.153) 58.029 ms 60.289 ms 58.171 ms 20 205.150.223.94 (205.150.223.94) 66.658 ms 67.030 ms 66.618 ms 21 vl153.hlfx-dr1.eastlink.ca (24.222.79.206) 61.555 ms 61.469 ms 61.548 ms 22 fe0-0.hlfx-ubr7.eastlink.ca (24.222.79.217) 67.113 ms 68.142 ms 67.055 ms 23 * * IT JUST HANGS HERE TILL IT TIMES OUT. root@jabber:/home/jgofton#
Hi, I think the ICMP protocol is blocked in some way :-) check http://www.shorewall.net/Documentation.htm -> In /etc/shorewall/interfaces: noping - ICMP echo-request (ping) packets addressed to the firewall will be ignored by this interface. filterping - ICMP echo-request (ping) packets addressed to the firewall will be handled according to the /etc/shorewall/rules and /etc/shorewall/policy file And http://www.shorewall.net/Documentation.htm -> /etc/shorewall/shorewall.conf: ALLOWRELATED If you specify ALLOWRELATED=No, you will need to include rules in /etc/shorewall/icmpdef to handle common ICMP packet types. Then eventually take a look at http://www.shorewall.net/shorewall_extension_scripts.htm Niels. -----Original Message----- From: Joe Gofton [mailto:jgofton@danicar.net] Sent: 10 September 2002 15:44 To: shorewall-users@shorewall.net Subject: [Shorewall-users] Traceroute How do I allow traceroute to reach my server? Pings work fine but traceroute stops at the last hop before my server. If I shut off the firewall it reaches it fine. PING danicar.net (24.222.246.120): 56 data bytes 64 bytes from 24.222.246.120: icmp_seq=0 ttl=237 time=104.0 ms 64 bytes from 24.222.246.120: icmp_seq=1 ttl=237 time=74.9 ms 64 bytes from 24.222.246.120: icmp_seq=2 ttl=237 time=90.6 ms --- danicar.net ping statistics --- 4 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 74.9/89.8/104.0 ms root@jabber:/home/jgofton# traceroute danicar.net traceroute to danicar.net (24.222.246.120), 30 hops max, 38 byte packets 1 halifax-cr-gw1.infointeractive.com (10.142.0.254) 1.195 ms 1.120 ms 1.046 ms 2 bis-i002.mtt.net (207.34.24.1) 2.181 ms 1.902 ms 1.863 ms 3 142.177.141.121 (142.177.141.121) 2.979 ms 3.979 ms 2.794 ms 4 142.166.182.130 (142.166.182.130) 5.875 ms 4.464 ms 3.062 ms 5 alnb-cr01-pos4-0.aliant.ca (142.166.181.1) 9.208 ms 7.972 ms 7.960 ms 6 dis11-montreal02-pos1-0.in.bellnexxia.net (206.108.111.165) 27.128 ms 23.892 ms 23.672 ms 7 core3-montreal02-pos6-1.in.bellnexxia.net (206.108.99.165) 24.272 ms 24.047 ms 23.855 ms 8 bx2-montreal02-pos5-0.in.bellnexxia.net (206.108.107.58) 24.065 ms 24.082 ms 23.938 ms 9 if-8-0.core2.Montreal.Teleglobe.net (207.45.204.45) 24.131 ms 28.688 ms 23.979 ms 10 if-5-0.core1.Montreal.Teleglobe.net (64.86.81.161) 31.982 ms 32.135 ms 31.871 ms 11 if-2-0.core2.NewYork.Teleglobe.net (64.86.83.226) 31.661 ms 35.130 ms 31.761 ms 12 if-4-0.bb8.NewYork.Teleglobe.net (66.110.8.130) 31.131 ms 31.034 ms 31.048 ms 13 ix-8-0-1.bb8.NewYork.Teleglobe.net (207.45.198.74) 31.546 ms 33.218 ms 31.736 ms 14 0.so-6-1-0.XL1.NYC9.ALTER.NET (152.63.22.226) 31.961 ms 31.568 ms 31.547 ms 15 0.so-4-0-0.TL1.NYC9.ALTER.NET (152.63.0.173) 31.841 ms 32.723 ms 31.477 ms 16 0.so-7-0-0.TL1.MTL1.ALTER.NET (152.63.0.89) 39.409 ms 39.510 ms 39.462 ms 17 0.so-7-0-0.XL1.MTL1.ALTER.NET (152.63.133.65) 39.581 ms 39.574 ms 39.477 ms 18 0.so-3-0-0.XR1.MTL1.ALTER.NET (152.63.133.46) 43.298 ms 43.748 ms 39.476 ms 19 193.ATM7-0.GW2.HFX1.ALTER .NET (152.63.132.153) 58.029 ms 60.289 ms 58.171 ms 20 205.150.223.94 (205.150.223.94) 66.658 ms 67.030 ms 66.618 ms 21 vl153.hlfx-dr1.eastlink.ca (24.222.79.206) 61.555 ms 61.469 ms 61.548 ms 22 fe0-0.hlfx-ubr7.eastlink.ca (24.222.79.217) 67.113 ms 68.142 ms 67.055 ms 23 * * IT JUST HANGS HERE TILL IT TIMES OUT. root@jabber:/home/jgofton# _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users
There may be some special shorewall command or flag in interfaces to permit this, but the basic means to allow traceroute is to add the following rule: ACCEPT net fw udp 33434-33600 While windows tracert uses ICMP, unix traceroute uses a different udp port depending on the TTL of each hop. See http://www.robertgraham.com/pubs/firewall-seen.html#traceroute for more information. Allowing this range of udp ports should permit traceroutes to your machine. ~Jonathan --On Tuesday, September 10, 2002 4:19 PM +0200 niels@wxn.nl wrote:> Hi, I think the ICMP protocol is blocked in some way :-) > > check http://www.shorewall.net/Documentation.htm -> In > /etc/shorewall/interfaces: > > noping - ICMP echo-request (ping) packets addressed to the firewall will > be ignored by this interface. > filterping - ICMP echo-request (ping) packets addressed to the firewall > will be handled according to the /etc/shorewall/rules and > /etc/shorewall/policy file > > And http://www.shorewall.net/Documentation.htm -> > /etc/shorewall/shorewall.conf: > > ALLOWRELATED If you specify ALLOWRELATED=No, you will need to include > rules in /etc/shorewall/icmpdef to handle common ICMP packet types. > > Then eventually take a look at > http://www.shorewall.net/shorewall_extension_scripts.htm > > Niels. > > > -----Original Message----- > From: Joe Gofton [mailto:jgofton@danicar.net] > Sent: 10 September 2002 15:44 > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Traceroute > > > How do I allow traceroute to reach my server? Pings work fine but > traceroute stops at the last hop before my server. If I shut off the > firewall it reaches it fine. > > PING danicar.net (24.222.246.120): 56 data bytes > 64 bytes from 24.222.246.120: icmp_seq=0 ttl=237 time=104.0 ms 64 bytes > from 24.222.246.120: icmp_seq=1 ttl=237 time=74.9 ms 64 bytes from > 24.222.246.120: icmp_seq=2 ttl=237 time=90.6 ms > > --- danicar.net ping statistics --- > 4 packets transmitted, 3 packets received, 0% packet loss round-trip > min/avg/max = 74.9/89.8/104.0 ms > > > root@jabber:/home/jgofton# traceroute danicar.net > traceroute to danicar.net (24.222.246.120), 30 hops max, 38 byte packets > 1 halifax-cr-gw1.infointeractive.com (10.142.0.254) 1.195 ms 1.120 ms > 1.046 ms > 2 bis-i002.mtt.net (207.34.24.1) 2.181 ms 1.902 ms 1.863 ms 3 > 142.177.141.121 (142.177.141.121) 2.979 ms 3.979 ms 2.794 ms 4 > 142.166.182.130 (142.166.182.130) 5.875 ms 4.464 ms 3.062 ms 5 > alnb-cr01-pos4-0.aliant.ca (142.166.181.1) 9.208 ms 7.972 ms 7.960 ms > 6 dis11-montreal02-pos1-0.in.bellnexxia.net (206.108.111.165) 27.128 ms > 23.892 ms 23.672 ms 7 core3-montreal02-pos6-1.in.bellnexxia.net > (206.108.99.165) 24.272 ms > 24.047 ms 23.855 ms > 8 bx2-montreal02-pos5-0.in.bellnexxia.net (206.108.107.58) 24.065 ms > 24.082 ms 23.938 ms > 9 if-8-0.core2.Montreal.Teleglobe.net (207.45.204.45) 24.131 ms 28.688 > ms 23.979 ms 10 if-5-0.core1.Montreal.Teleglobe.net (64.86.81.161) > 31.982 ms 32.135 ms 31.871 ms 11 if-2-0.core2.NewYork.Teleglobe.net > (64.86.83.226) 31.661 ms 35.130 ms 31.761 ms 12 > if-4-0.bb8.NewYork.Teleglobe.net (66.110.8.130) 31.131 ms 31.034 ms > 31.048 ms > 13 ix-8-0-1.bb8.NewYork.Teleglobe.net (207.45.198.74) 31.546 ms 33.218 > ms 31.736 ms 14 0.so-6-1-0.XL1.NYC9.ALTER.NET (152.63.22.226) 31.961 ms > 31.568 ms > 31.547 ms > 15 0.so-4-0-0.TL1.NYC9.ALTER.NET (152.63.0.173) 31.841 ms 32.723 ms > 31.477 ms > 16 0.so-7-0-0.TL1.MTL1.ALTER.NET (152.63.0.89) 39.409 ms 39.510 ms > 39.462 ms > 17 0.so-7-0-0.XL1.MTL1.ALTER.NET (152.63.133.65) 39.581 ms 39.574 ms > 39.477 ms > 18 0.so-3-0-0.XR1.MTL1.ALTER.NET (152.63.133.46) 43.298 ms 43.748 ms > 39.476 ms > 19 193.ATM7-0.GW2.HFX1.ALTER > .NET (152.63.132.153) 58.029 ms 60.289 ms 58.171 ms > 20 205.150.223.94 (205.150.223.94) 66.658 ms 67.030 ms 66.618 ms 21 > vl153.hlfx-dr1.eastlink.ca (24.222.79.206) 61.555 ms 61.469 ms > 61.548 ms > 22 fe0-0.hlfx-ubr7.eastlink.ca (24.222.79.217) 67.113 ms 68.142 ms > 67.055 ms > 23 * * IT JUST HANGS HERE TILL IT TIMES OUT. > root@jabber:/home/jgofton# > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users