Andreas Bittner
2004-Jul-27 12:24 UTC
icmp traceroute from dmz behind proxy-arp - icmp code 11 ?
hello there, im running a 3interface inet, dmz, loc. i have some public ip addresses. one public address is the router of the provider, the second one is the linux box running shorewall. all other public interfaces are on the dmz nic with proxy-arp. now whenever i do a traceroute (the dmz boxes are windows, icmp traceroute) the very first hop gets timeout/stars, then the router of the provider follows as second hop and everything else after that is ok. when i do a second traceroute directly after that, this doesnt happen, but the dmz ip address of the linux shorewall box appears just fine as the first hop... when i wait some minutes and try again, it starts all over again with the timeouts.... for example a traceroute to www.heise.de from the dmz box: shorewall logs: Jul 27 14:10:12 fw01 kernel: Shorewall:all2all:REJECT:IN= OUT=eth2 SRC=10.168.10.254 DST=dmzboxip LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=14795 PROTO=ICMP TYPE=11 CODE=0 [SRC=dmzboxip DST=193.99.144.71 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=51734 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=16111 ] Jul 27 14:10:15 fw01 kernel: Shorewall:all2all:REJECT:IN= OUT=eth2 SRC=10.168.10.254 DST=dmzboxip LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=14796 PROTO=ICMP TYPE=11 CODE=0 [SRC=dmzboxip DST=193.99.144.71 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=51743 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=16367 ] Jul 27 14:10:19 fw01 kernel: Shorewall:all2all:REJECT:IN= OUT=eth2 SRC=10.168.10.254 DST=dmzboxip LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=14797 PROTO=ICMP TYPE=11 CODE=0 [SRC=dmzboxip DST=193.99.144.71 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=51753 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=16623 ] 10.168.10.254 is the nic of the linux shorewall box that connects to the dmz zone. i was wondering what this icmp type 11 is exactly for, and what this additional information in the brackets is for exactly? is that the proxy arp translation or something like that... why does the normal icmp type 8 become type 11 and so forth.... i added the following rule to the rules file: ACCEPT $FW dmz icmp 11 which fixes this error for now, but i am wondering if this is the right way to do it. running shorewall-2.0.2-0RC1 thanks, andy
Tom Eastep
2004-Jul-27 14:24 UTC
Re: icmp traceroute from dmz behind proxy-arp - icmp code 11 ?
Andreas Bittner wrote: onnects to the> dmz zone. > > i was wondering what this icmp type 11 is exactly for, and what this > additional information in the brackets is for exactly? is that the proxy > arp translation or something like that... why does the normal icmp type > 8 become type 11 and so forth....See FAQ 21 for an example of ICMP 11.> > i added the following rule to the rules file: > > ACCEPT $FW dmz icmp 11 > > which fixes this error for now, but i am wondering if this is the right > way to do it.Yes -- Netfilter *should* classify these packets as RELATED (and I believe it does in the related kernels) but you can work around the problem using rules of the type you show. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2004-Jul-27 14:28 UTC
Re: icmp traceroute from dmz behind proxy-arp - icmp code 11 ?
Tom Eastep wrote:> Andreas Bittner wrote: > onnects to the > >> dmz zone. >> >> i was wondering what this icmp type 11 is exactly for, and what this >> additional information in the brackets is for exactly? is that the proxy >> arp translation or something like that... why does the normal icmp type >> 8 become type 11 and so forth.... > > > See FAQ 21 for an example of ICMP 11. > >> >> i added the following rule to the rules file: >> >> ACCEPT $FW dmz icmp 11 >> >> which fixes this error for now, but i am wondering if this is the right >> way to do it. > > > Yes -- Netfilter *should* classify these packets as RELATED (and I > believe it does in the related kernels) but you can work around the > problem using rules of the type you show.Duh -- proofread twice and post once, Tom. I meant to write "...does in the latest kernels" -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net