Dear list: I have noticed that whenever a traceroute passes through a firewall, the hop corresponding to the firewall always shows * * * request timed out.
I checked with some SHorewall documentation at http://shorewall.net/ports.htm that indicates traceroute uses UDP -- a fact I was never aware of. I also saw a lot of ICMP type 11 packets being dropped from the shorewall logs, so I added some rules to permit them. I think the docs at the above link should also recommend ICMP type 11, as that is what finally got the timeouts above to go away.. And, this without the rules accepting UDP. So I think the above link is in error. Unless there is a different "UDP traceroute" that I don't know of... ? Here is what I implemented in shorewall, in addition to the usual icmp Typ 8 rules -- seems to get the regular command line traceroute from *nix and tracert on windoze to work and the firewall hop identifies itself: ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 ACCEPT loc fw icmp 11 ACCEPT net fw icmp 11 ACCEPT fw loc icmp 11 ACCEPT fw net icmp 11 HTH Rick. ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
