Traceroute

Anders Fugmann email hidden
Mon Sep 29 13:25:06 CEST 2003


What are the output rules in zone int.
It seems that your firewall is not allowed to send ICMP responses to 
your machine on the internal network.

Try adding the following OUTPUT rules to zone.int:

OUTPUT[n]=""ACCEPT ICMP ALL 0.0.0.0/0=>0.0.0.0/0"

Regards
Anders Fugmann


Thomas Bange wrote:
> Hello!
> 
> I am using fiaif 1.17.1 and want to be able to use traceroute from inside to
> outside,
> but not to be traced from outside to inside. At the moment it don't work
> either way.
> 
> I have to zones: INT(ernal) and EXT(ernal).
> 
> In the INT zone I have this as a FORWARD rule: INT ACCEPT udp 33434:33464
> NET_DMZ=>0.0.0.0/0
> In the EXT zone I have this as a FORWARD rule: INT ACCEPT udp 33434:33464
> NET_DMZ=>0.0.0.0/0
> 
> (where NET_DMZ is my network connected to the INT zone)
> 
> When I try to trace from inside out I get these message logged:
> 
> Sep 29 12:06:02 gw kernel: [FIAIF_DROP]:IN= OUT=eth1 SRC=xxx.xxx.52.153
> DST=xxx.xxx.52.156 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=29590 PROTO=ICMP
> TYPE=11 CODE=0 [SRC=xxx.xxx.52.156 DST=xxx.xxx.22.29 LEN=38 TOS=0x00
> PREC=0x00 TTL=1 ID=61765 PROTO=UDP SPT=61764 DPT=33435 LEN=18 ]
> 
> eth1 is the internal interface, connected to the NET_DMZ net
> I tried to trace from xxx.xxx.52.156 to some host outside (xxx.xxx.22.29)
> through
> the firewall (xxx.xxx.52.153).
> 
> How do I configure fiaif to make this work?
> 
> Regards,
> Tom
> _______________________________________________
> fiaif mailing list
> fiaif at fiaif.net
> https://www.fiaif.net/mailman/listinfo/fiaif
> 





More information about the fiaif mailing list