#19153: Default firewall rules do not allow IPv4 traceroute (ICMP)
-------------------------------------------------+-------------------------
Reporter: James W | Owner: developers
Type: defect | Status: new
Priority: normal | Milestone: Chaos
Component: other | Calmer (trunk)
Keywords: firewall icmp traceroute ipv4 | Version: Trunk
blocked |
-------------------------------------------------+-------------------------
In the default /etc/config/firewall file, there are no longer any rules to
allow ICMP for IPv4 traffic, thus when trying to perform a traceroute from
the router itself it will fail even on the first hop:
traceroute jolt.co.uk
traceroute to jolt.co.uk (162.255.119.254), 30 hops max, 38 byte packets
* * *
* * *
* * *
* * *
* * *
Although there is a rule to allow ICMP on IPv6, this is not the case for
IPv4. As soon as I added the following rule you can perform traceroutes
again (copied from the IPv6 rule and just changing the family to IPv4)
config rule
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option target 'ACCEPT'
option name 'Allow-ICMPv4-Input'
option family 'ipv4'
Note: Clients behind the router can traceroute, this is only for the
router itself.
Thanks
James
--
Ticket URL: <https://dev.openwrt.org/ticket/19153>
OpenWrt <http://openwrt.org>
Opensource Wireless Router Technology
_______________________________________________
openwrt-tickets mailing list
[email protected]
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-tickets
