Re: traceroute problems
On Tuesday 11 March 2008 00:30:05 Wojciech Puchar wrote: Right - thanks. I will see if I can unblock it then. Hm, I wouldn't bet on it, since most of these devices tend to have preconfigured well-hidden firewall rules. traceroute uses UDP packets, no special port numbers. FreeBSD's traceroute can use TCP or ICMP instead of UDP. You can also force using a specific port, so you can mimic a web browser that uses an insanely small TTL. Something like: -e -P TCP -p 80 $destination_host or -P ICMP $destination_host I've had success using combinations like the above. Of course, if your NAT device drops ICMP indistinctively or does not relate these ICMP to your LAN address, you're out of luck. I think many DLinks are Linux based, so there is good possibility to have a proper TCP/IP stack and a proper packet filter. Can't tell of the packet filter rules though. HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
to prevent you from learning about their routing paths. In these cases, you get back the 1 * * * type of output from traceroute. Also, by default traceroute attempts to do a reverse DNS on the IP address, so you can speed things up by doing a 'traceroute -n' to avoid this look-up. many commercial firewalls, including those in integrated devices, tend to block everything excluding often used services. some even block ICMP ping. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
traceroute problems
Hello, I am using FreeBSD 6.3-RELEASE-p1. What should I be diagnosing if I cannot use traceroute? Whatever domain I try to check, it always times out. The box is behind a hardware firewall. It also uses pf to some minor degree. However, pfctl -d does not allow me to traceroute either. $ traceroute -v freebsd.org traceroute to freebsd.org (69.147.83.40), 64 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * It goes on like this until it reaches 64 hops and then it finishes printing no additional information. Many thanks for any hint what to check! -- Zbigniew Szalbot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
What should I be diagnosing if I cannot use traceroute? Whatever domain I try to check, it always times out. The box is behind a hardware firewall. It also uses pf to some minor degree. However, what do you mean hardware firewall? pfctl -d does not allow me to traceroute either. $ traceroute -v freebsd.org traceroute to freebsd.org (69.147.83.40), 64 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * your firewall (whatever hardware means) probably block traceroute packets ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
Hello, 2008/3/10, Wojciech Puchar [EMAIL PROTECTED]: What should I be diagnosing if I cannot use traceroute? Whatever domain I try to check, it always times out. The box is behind a hardware firewall. It also uses pf to some minor degree. However, what do you mean hardware firewall? Dlink DFL-700. pfctl -d does not allow me to traceroute either. $ traceroute -v freebsd.org traceroute to freebsd.org (69.147.83.40), 64 hops max, 40 byte packets 1 * * * 2 * * * 3 * * * 4 * * * your firewall (whatever hardware means) probably block traceroute packets Right - thanks. I will see if I can unblock it then. -- Zbigniew Szalbot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
what do you mean hardware firewall? Dlink DFL-700. AFAIK it doesn't contain in-silicon logic to route/block/pass packets according to rules. it works in the same way like computer running say FreeBSD with network cards, just it's dedicated box. today the hardware is abused too much. true hardware routers/firewalls begins at about 10Gbit/s range, where making this into hardware make sense. 4 * * * your firewall (whatever hardware means) probably block traceroute packets Right - thanks. I will see if I can unblock it then. traceroute uses UDP packets, no special port numbers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
On Mon, Mar 10, 2008 at 11:30:05PM +0100, Wojciech Puchar wrote: traceroute uses UDP packets, no special port numbers. Outgoing is UDP. The return packet is ICMP type 11. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
On Mon, Mar 10, 2008 at 11:30:05PM +0100, Wojciech Puchar wrote: [...] traceroute uses UDP packets, no special port numbers. traceroute(8) indicates that the default UDP port number used is udp/33434, incrementing for each hop out. -- Jonathan Chen [EMAIL PROTECTED] -- When all else fails, RTFM ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: traceroute problems
Jonathan Chen presented these words - circa 3/10/08 7:38 PM- On Mon, Mar 10, 2008 at 11:30:05PM +0100, Wojciech Puchar wrote: [...] traceroute uses UDP packets, no special port numbers. traceroute(8) indicates that the default UDP port number used is udp/33434, incrementing for each hop out. The incrementing is the TTL count in the IP header, not the port number. It works by sending out a UDP packet for a (generally) unused port with the TTL field to a specific number and looking for ICMP errors to indicate how far the packet went (the last node address is contained in the ICMP error reply). However, be warned, some network administrators disable their routers from sending back these types of ICMP messages to prevent you from learning about their routing paths. In these cases, you get back the 1 * * * type of output from traceroute. Also, by default traceroute attempts to do a reverse DNS on the IP address, so you can speed things up by doing a 'traceroute -n' to avoid this look-up. Patrick ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
