>> involves some icmp rule being added, not sure what though. But default
>> bering only allows icmp type 8 in which is the echo request icmp >> packet. Just testing by allowing all icmp in should confirm my suspicion >> that it is an icmp related issue. Close it up afterwards again. > >Why, is there a specific danger to allowing ICMP packets from your internal >network to the firewall box? There are some hacks based on ICMP like the icmp redirect message. So is there a specific danger to allow this from your internal network? I don't know depends on how much you trust the people on your internal network I suppose. > >> I will try and network monitor an microsoft traceroute and come back with >> a better filtered solution. > >That'd be great... I have done a network monitor of a traceroute session and traceroute uses identical packets as ping does just with shorter TTL. Traceroute in ms is based on the fact that if the ttl becomes 0 the router that drops the packet because of this sends you a time to live exceeded in transmit back. (This message contains the routers ip address). Ms traceroute sends 3 of these packages to every hop. So if 1 of them is timing out it is probably a site between you and your traceroute target that has icmp replies filtered. Bottom line it is probably out of your hands. Someone on the road is blocking icmp. It doesn't kill traceroute but it means your missing one hop. Kim Oppalfens > >-- >Dan Harkless >[EMAIL PROTECTED] >http://harkless.org/dan/ > > >------------------------------------------------------- >This sf.net email is sponsored by: Dice - The leading online job board >for high-tech professionals. Search and apply for tech jobs today! >http://seeker.dice.com/seeker.epl?rel_code=31 >------------------------------------------------------------------------ >leaf-user mailing list: [EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user >SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
