I''m Not on the List :) Hello all, There seem to be a minor problem on this Trace route Allow Action. ACCEPT - - icmp 11 the icmp Port is 11 and not 8. Please Check, I''m on version 2.0.2d and the problem is still happening. Thank You Chan Min Wai
Chan Min Wai wrote:> I''m Not on the List :) > > Hello all, > > There seem to be a minor problem on this Trace route Allow Action. > > ACCEPT - - icmp 11 > > the icmp Port is 11 and not 8. > > Please Check, I''m on version 2.0.2d and the problem is still happening. >The ICMP port *is 8* and that is what it should be. If you are seeing ICMP 11''s then you have a different problem. ICMP type 11 is used to report error conditions and can be returned *in response to* an ICMP 8. Normally, Netfilter properly associates the 11s with the outgoing 8 and because of the ESTABLISHED,RELATED rules that Shorewall creates the 11s are passed back to the client. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep Ð0:> Chan Min Wai wrote: > >> I''m Not on the List :) >> >> Hello all, >> >> There seem to be a minor problem on this Trace route Allow Action. >> ACCEPT - - icmp 11 >> >> the icmp Port is 11 and not 8. >> Please Check, I''m on version 2.0.2d and the problem is still happening. >> > > The ICMP port *is 8* and that is what it should be. If you are seeing > ICMP 11''s then you have a different problem. ICMP type 11 is used to > report error conditions and can be returned *in response to* an ICMP 8. > Normally, Netfilter properly associates the 11s with the outgoing 8 and > because of the ESTABLISHED,RELATED rules that Shorewall creates the 11s > are passed back to the client. > > -TomSorry, it is not Port 8 but type 8, and so doest the 11 meant type 11. Which is required for trace route. But this is a Trace Route function right, so Type 11 Should have be open. I''ve change this to type 11 and then in the Rules stated AllowTracert fw loc Then only there will be no error when I''m doing a trace route behind my router box which is protected by iptables Using shorewall v 2.0.2f . I''m not too sure what if wrong. But there is no way I can get ACCEPT - - icmp 8 To Work anyhow, but I do get ACCEPT - - icmp 11 To Work. I''m still blur, but my problem is that I can run traceroute behind the router if it is 8, So give me an idea no how I should do that With the "type 8" configuration. Or I really doing it the wrong wrong way. Thank You Chan Min Wai -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAwKeUV0p9slMZLW4RAm9uAKCrreil9kDFn+xKMgxrYxiSIutp4QCgrksn lBzvhayxRpI9jYg6fcdQgaI=O46k -----END PGP SIGNATURE-----
Chan Min Wai wrote:> > I''m still blur, but my problem is that I can run traceroute behind the > router if it is 8, So give me an idea no how I should do that With the > "type 8" configuration. > > Or I really doing it the wrong wrong way. >With the "8" rule, what Shorewall messages do you see when you try using traceroute? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Chan Min Wai wrote:> > I''ve change this to type 11 and then in the Rules stated > > AllowTracert fw loc >So in other words, you are having to manually enable ICMP type 11s from the firewall back to your local network. This is a total mis-use of the AllowTracert action which should be used from the client zone to the destination zone. What version of the kernel are you running on the firewall -- I suspect that it is broken. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep Ð0:> Chan Min Wai wrote: > >> >> I''ve change this to type 11 and then in the Rules stated >> >> AllowTracert fw loc >> > > So in other words, you are having to manually enable ICMP type 11s from > the firewall back to your local network. This is a total mis-use of the > AllowTracert action which should be used from the client zone to the > destination zone. > > What version of the kernel are you running on the firewall -- I suspect > that it is broken.I''m running Shorewall 2.0.2f and with Fedora Core 2 (Kernel version should be 2.6x) Thank You> > -Tom-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAweLcV0p9slMZLW4RAt2lAKChuwTq6PVNnHo2xoqN9KKY5q7wMQCggeVL 7+92JpNPgWuShXNrbffXV0Q=URMM -----END PGP SIGNATURE-----
Chan Min Wai wrote:> > I''m running Shorewall 2.0.2f and with Fedora Core 2 (Kernel version > should be 2.6x) >I would work around this problem with this rule: ACCEPT fw loc icmp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net