On Fri, 3 Dec 1999, Chris Bennett wrote:
> This raises a good question. What ports need to be open to allow a
> ping or traceroute to an external host. I have Read the Firewall-HOWTO and
> can't fing this inside of the HOWTO
>
> I am using a custom kernel 2.2.13 that has all the proper options IP
> MASQ statements enabled and I am starting the firewall with a IPCHAINS for
> deny everything rule allowing all conections to the outside from localhost
> or from anywhere within the masquraded LAN
ping doesn't use ports, as well as traceroute. they use the ICMP type 8
(ECHO_REQUEST) and type 0 (ECHO_REPLY) datagrams. ICMP doesn't have port
numbers in its header. all ICMP messages are interpreted by the network
software itself, so no port numbers are needed to say where an ICMP
message is supposed to go. but you can deny all ICMP traffic, for example
with the following command:
ipchains -A input -j DENY -p icmp
also, if you have default ipchains policy set to deny, don't forget to
explicitly allow ICMP traffic.
