pf and traceroute

Mike. Tue, 11 Jan 2011 11:40:33 -0800

I'm having difficulty getting traceroute to work on some of the network
clients (Windows, specifically).  I've been able to reproduce the
problem, and I've documented it below.   Any assistance and/or guidance
on the error (of omission or comission) in my pf.conf file would be
appreciated.
 
(I truncated the traceroute results at 68 columns so they do not wrap
in this posting.   If anyone needs the full width of the lines, let me
know)
 
First, I whittled the pf.conf file down to a simple version for this
test.
 
 
pf.conf:


# macros
ext_if = "rl0"
std_if = "em1"
jum_if = "em0"
loc_if = "lo0"

set skip on lo

# nat/rdr
match out on $ext_if from !($ext_if) nat-to ($ext_if)

# filter rules
block in 

# let internal traffic flow unimpeded
pass  quick on $std_if
pass  quick on $jum_if

pass out  modulate state





When I do a regular traceroute on a FreeBSD cllient, it looks OK.  

FreeBSD 8.1 client on the jum_if subnet

# traceroute www.openbsd.org
                                                                        
  
traceroute to www.openbsd.org (142.244.12.42), 64 hops max, 40 byte
 1  router-10-23-90 (10.23.90.1)  0.282 ms  0.196 ms  0.238 ms
 2  bu-10-ubr11.danbury.ct.hartford.comcast.net (96.67.226.1)  5.83
 3  ge-3-30-ur02.danbury.ct.hartford.comcast.net (68.86.237.29)  6.
 4  be-61-ar01.chartford.ct.hartford.comcast.net (68.85.69.17)  9.4
 5  pos-1-4-0-0-ar01.needham.ma.boston.comcast.net (68.85.162.69)  
 6  pos-2-2-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.93.185)  2
 7  pos-2-10-0-0-cr01.chicago.il.ibone.comcast.net (68.86.86.114)  
 8  pos-1-6-0-0-pe01.350ecermak.il.ibone.comcast.net (68.86.87.130)
 9  as852-pe01.350ecermak.il.ibone.comcast.net (75.149.228.226)  48
10  edtnabxmdr00.bb.telus.com (205.233.111.99)  90.548 ms  89.149 m
11  sparky.prpddmi.com (207.229.13.210)  89.672 ms  86.775 ms  90.0
12  gsb175-c6509-3-129.backbone.ualberta.ca (129.128.3.129)  98.039
13  129.128.3.201 (129.128.3.201)  87.293 ms  90.405 ms  88.927 ms
14  afscarp1.srv.ualberta.ca (129.128.98.84)  90.922 ms  94.897 ms 
15  * * *



However, when I tell traceroute to use ICMP ECHO, I get timeouts.

# traceroute -I www.openbsd.org
               
traceroute to www.openbsd.org (142.244.12.42), 64 hops max, 60 byte
 1  router-10-23-90 (10.23.90.1)  0.286 ms  0.301 ms  0.231 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  openbsd.srv.ualberta.ca (142.244.12.42)  90.292 ms  89.394 ms  





Both flavors of traceroute work fine on the OpenBSD 4.7 firewall /
router itself, so I know it is not Comcast blocking ICMP traffic.


firewall / router

# traceroute www.openbsd.org
traceroute to www.openbsd.org (142.244.12.42), 64 hops max, 40 byte
 1  bu-10-ubr11.danbury.ct.hartford.comcast.net (96.67.226.1)  7.60
 2  ge-3-30-ur02.danbury.ct.hartford.comcast.net (68.86.237.29)  5.
 3  be-61-ar01.chartford.ct.hartford.comcast.net (68.85.69.17)  9.3
 4  pos-1-4-0-0-ar01.needham.ma.boston.comcast.net (68.85.162.69)  
 5  pos-2-2-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.93.185)  1
 6  pos-2-10-0-0-cr01.chicago.il.ibone.comcast.net (68.86.86.114)  
 7  pos-1-6-0-0-pe01.350ecermak.il.ibone.comcast.net (68.86.87.130)
 8  as852-pe01.350ecermak.il.ibone.comcast.net (75.149.228.226)  49
 9  edtnabxmdr00.bb.telus.com (205.233.111.99)  89.661 ms  88.866 m
10  sparky.prpddmi.com (207.229.13.210)  86.679 ms  86.702 ms  122.
11  gsb175-c6509-3-129.backbone.ualberta.ca (129.128.3.129)  91.118
12  129.128.3.201 (129.128.3.201)  87.293 ms  87.621 ms  87.457 ms
13  afscarp1.srv.ualberta.ca (129.128.98.84)  90.983 ms  89.338 ms 
14  * * *



# traceroute -I www.openbsd.org
traceroute to www.openbsd.org (142.244.12.42), 64 hops max, 60 byte
 1  bu-10-ubr11.danbury.ct.hartford.comcast.net (96.67.226.1)  7.91
 2  ge-3-30-ur02.danbury.ct.hartford.comcast.net (68.86.237.29)  5.
 3  be-61-ar01.chartford.ct.hartford.comcast.net (68.85.69.17)  9.3
 4  pos-1-4-0-0-ar01.needham.ma.boston.comcast.net (68.85.162.69)  
 5  pos-2-2-0-0-cr01.newyork.ny.ibone.comcast.net (68.86.93.185)  2
 6  pos-2-10-0-0-cr01.chicago.il.ibone.comcast.net (68.86.86.114)  
 7  pos-1-6-0-0-pe01.350ecermak.il.ibone.comcast.net (68.86.87.130)
 8  as852-pe01.350ecermak.il.ibone.comcast.net (75.149.228.226)  48
 9  edtnabxmdr00.bb.telus.com (205.233.111.99)  89.916 ms  93.978 m
10  sparky.prpddmi.com (207.229.13.210)  85.736 ms  86.682 ms  85.8
11  gsb175-c6509-3-129.backbone.ualberta.ca (129.128.3.129)  90.720
12  129.128.3.201 (129.128.3.201)  111.230 ms  102.337 ms  90.230 m
13  afscarp1.srv.ualberta.ca (129.128.98.84)  90.311 ms  89.215 ms 
14  openbsd.srv.ualberta.ca (142.244.12.42)  100.213 ms  91.242 ms 



What do I need to add to the pf.conf in order to allow clients to use
the -I option on traceroute?

Thanks in advance.

pf and traceroute

Reply via email to