[Firehol-support] firehol vs traceroute

Costa Tsaousis costa at tsaousis.gr
Tue Aug 3 21:35:52 BST 2004


Hi Eric,

Could you please check that your case is not included in this:

http://sourceforge.net/tracker/index.php?func=detail&aid=927509&group_id=58425&atid=487692

I had the same problem myself, and since I fixed the described issue,
traceroute works perfectly. What bothers me, is that you have a log about
it - in the problem reported above there was no log. Check it please and
let me know.

Thanks

Costa


> Hi, I'm trying to enable traceroute to and through a firehol router
> (2.4.26).
> I wasn't able to find any past discussion about this on the list, so maybe
> it works for other people and there's something I'm doing wrong, but I
> can't
> figure out what it is.
>
> Here's the relevant part of the config:
>
> ## BEGIN abbreviated firehol.conf
> server_trt_ports="udp/33434:33523"
> client_trt_ports="default"
>
> snat to ${l3_ip} \
>         outface ${l3_int}
>
> interface "${i_int}" inside
>     server "trt icmp" accept
>     client all accept
>
> interface $l3_int l3-dmz src not "${UNROUTABLE_IPS}"
>     protection all
>     server "trt icmp" accept
>     client all accept
>
> router i-l3 inface ${i_int} outface ${l3_int}
>     route all accept
> ## END abbreviated firehol.conf
>
> Traceroute *to* works, but *through* it shows just a '* * *'
> for the firehol hop, and the following log message is generated:
>
> Aug  3 10:29:33 firehol kernel: OUT-inside:IN= OUT=eth1 SRC={inside ip}
> DST={my ip} LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=31965 PROTO=ICMP TYPE=11
> CODE=0 [SRC={my ip} DST={tracert dst} LEN=38 TOS=0x00 PREC=0x00 TTL=1
> ID=26442 PROTO=UDP SPT=34507 DPT=33444 LEN=18 ]
>
> So firehol is denying the outbound ICMP time exceeded message
> which the router's kernel is generating in response to the
> traceroute probe.  As I understand it, netfilter's state
> module knows about traceroute and will permit the responses
> if there's a RELATED directive that it can match up.
>
> And indeed, although there is a RELATED in the chain with this
> log directive (out_inside), its packet count doesn't increment
> as I try these traceroutes, nor does changing the rule in
> out_inside_icmp_s1 from ESTABLISHED to ESTABLISHED,RELATED
> make it work.  So these packets are not getting associated
> with the inbound UDP probes that cause them.  Any ideas?
> --
>
>     Eric Sorenson - EXPLOSIVE Networking - http://explosive.net
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by OSTG. Have you noticed the changes on
> Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
> one more big change to announce. We are now OSTG- Open Source Technology
> Group. Come see the changes on the new OSTG site. www.ostg.com
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>






More information about the Firehol-support mailing list