Shorewall users - Jul 2004 - icmp traceroute from dmz behind proxy-arp - icmp code 11 ?

hello there,

im running a 3interface inet, dmz, loc. i have some public ip addresses.
one public address is the router of the provider, the second one is the
linux box running shorewall. all other public interfaces are on the dmz
nic with proxy-arp.

now whenever i do a traceroute (the dmz boxes are windows, icmp
traceroute) the very first hop gets timeout/stars, then the router of
the provider follows as second hop and everything else after that is ok.

when i do a second traceroute directly after that, this doesnt happen,
but the dmz ip address of the linux shorewall box appears just fine as
the first hop...

when i wait some minutes and try again, it starts all over again with
the timeouts....

for example a traceroute to www.heise.de from the dmz box:
shorewall logs:

Jul 27 14:10:12 fw01 kernel: Shorewall:all2all:REJECT:IN= OUT=eth2
SRC=10.168.10.254 DST=dmzboxip LEN=120 TOS=0x00 PREC=0xC0 TTL=64
ID=14795 PROTO=ICMP TYPE=11 CODE=0 [SRC=dmzboxip DST=193.99.144.71
LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=51734 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=16111 ]
Jul 27 14:10:15 fw01 kernel: Shorewall:all2all:REJECT:IN= OUT=eth2
SRC=10.168.10.254 DST=dmzboxip LEN=120 TOS=0x00 PREC=0xC0 TTL=64
ID=14796 PROTO=ICMP TYPE=11 CODE=0 [SRC=dmzboxip DST=193.99.144.71
LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=51743 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=16367 ]
Jul 27 14:10:19 fw01 kernel: Shorewall:all2all:REJECT:IN= OUT=eth2
SRC=10.168.10.254 DST=dmzboxip LEN=120 TOS=0x00 PREC=0xC0 TTL=64
ID=14797 PROTO=ICMP TYPE=11 CODE=0 [SRC=dmzboxip DST=193.99.144.71
LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=51753 PROTO=ICMP TYPE=8 CODE=0 ID=512
SEQ=16623 ]


10.168.10.254 is the nic of the linux shorewall box that connects to the
dmz zone.

i was wondering what this icmp type 11 is exactly for, and what this
additional information in the brackets is for exactly? is that the proxy
arp translation or something like that... why does the normal icmp type
8 become type 11 and so forth....

i added the following rule to the rules file:

ACCEPT $FW dmz icmp 11

which fixes this error for now, but i am wondering if this is the right
way to do it.

running shorewall-2.0.2-0RC1

thanks,
andy

Andreas Bittner wrote:
onnects to the
> dmz zone.
> 
> i was wondering what this icmp type 11 is exactly for, and what this
> additional information in the brackets is for exactly? is that the proxy
> arp translation or something like that... why does the normal icmp type
> 8 become type 11 and so forth....
See FAQ 21 for an example of ICMP 11.
> 
> i added the following rule to the rules file:
> 
> ACCEPT $FW dmz icmp 11
> 
> which fixes this error for now, but i am wondering if this is the right
> way to do it.
Yes -- Netfilter *should* classify these packets as RELATED (and I 
believe it does in the related kernels) but you can work around the 
problem using rules of the type you show.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Andreas Bittner wrote:
> onnects to the
> 
>> dmz zone.
>>
>> i was wondering what this icmp type 11 is exactly for, and what this
>> additional information in the brackets is for exactly? is that the
proxy
>> arp translation or something like that... why does the normal icmp type
>> 8 become type 11 and so forth....
> 
> 
> See FAQ 21 for an example of ICMP 11.
> 
>>
>> i added the following rule to the rules file:
>>
>> ACCEPT $FW dmz icmp 11
>>
>> which fixes this error for now, but i am wondering if this is the right
>> way to do it.
> 
> 
> Yes -- Netfilter *should* classify these packets as RELATED (and I 
> believe it does in the related kernels) but you can work around the 
> problem using rules of the type you show.
Duh -- proofread twice and post once, Tom. I meant to write "...does in 
the latest kernels"

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net