[Firehol-support] firehol vs traceroute
Eric Sorenson
eric at explosive.net
Tue Aug 3 19:00:08 BST 2004
Hi, I'm trying to enable traceroute to and through a firehol router (2.4.26).
I wasn't able to find any past discussion about this on the list, so maybe
it works for other people and there's something I'm doing wrong, but I can't
figure out what it is.
Here's the relevant part of the config:
## BEGIN abbreviated firehol.conf
server_trt_ports="udp/33434:33523"
client_trt_ports="default"
snat to ${l3_ip} \
outface ${l3_int}
interface "${i_int}" inside
server "trt icmp" accept
client all accept
interface $l3_int l3-dmz src not "${UNROUTABLE_IPS}"
protection all
server "trt icmp" accept
client all accept
router i-l3 inface ${i_int} outface ${l3_int}
route all accept
## END abbreviated firehol.conf
Traceroute *to* works, but *through* it shows just a '* * *'
for the firehol hop, and the following log message is generated:
Aug 3 10:29:33 firehol kernel: OUT-inside:IN= OUT=eth1 SRC={inside ip} DST={my ip} LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=31965 PROTO=ICMP TYPE=11 CODE=0 [SRC={my ip} DST={tracert dst} LEN=38 TOS=0x00 PREC=0x00 TTL=1 ID=26442 PROTO=UDP SPT=34507 DPT=33444 LEN=18 ]
So firehol is denying the outbound ICMP time exceeded message
which the router's kernel is generating in response to the
traceroute probe. As I understand it, netfilter's state
module knows about traceroute and will permit the responses
if there's a RELATED directive that it can match up.
And indeed, although there is a RELATED in the chain with this
log directive (out_inside), its packet count doesn't increment
as I try these traceroutes, nor does changing the rule in
out_inside_icmp_s1 from ESTABLISHED to ESTABLISHED,RELATED
make it work. So these packets are not getting associated
with the inbound UDP probes that cause them. Any ideas?
--
Eric Sorenson - EXPLOSIVE Networking - http://explosive.net
More information about the Firehol-support
mailing list