-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/20/2016 03:08 PM, Philip Le Riche wrote: > I'm trying to run traceroute from a Raspberry Pi on one side of > shorewall through to the Internet on the other, for the purposes of > an Internet routing lesson. > > I can detect some hosts on the far side of shorewall but not as > many as I was hoping (possibly due to ISP filtering), even though I > didn't think to add a rule for returning icmp timeout packets. On > reflection, perhaps I ought to have since a rule is needed for > ping. Does this indicate that shorewall passes some icmp packets by > default, and if so, which? I don't immediately see anything on this > in the documentation. >
Netfilter connection tracking will classify returned icmp packets as RELATED to the original outgoing packet, and Shorewall accepts RELATED packets by default. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYWcCoAAoJEJbms/JCOk0QARYQALUxLFwlh3pyu8DdQ1cvArpX mFD1iJ62k17ZqQS3yLKULZMZnWwEa5YotksUX9jdZaBCoFlPZ3LITvqK4JCPBumR ZBGv+/+jMewO6Pz03smLpuCn/UoMBbGICLXotJV5g5LT60d5VYg9hXpfpmWfZxFt 9kElmrEMs052+1upUeE6cmwmyspzG0/TkYL8nx4TjsH34k/FZK0IvP5ZmtYQalgL sP+mH3NghM4gRdMafVgjEsHj4bS3aIwQV59Ai6OatsEn6mXYVQDnHrFR/Tw7BOCu L9QROBIg2qjDgim80EKdD756ExWZPExZIEqbXbgjC8UEJ35Hy0T7zQT9n8qpA3Bp JgVZZlDE9CsfoQRDUDY8HaNoBCTlAP0FJwM5L67H6vYq/NWdSB+JHt3l9LlIfgTg ePAXYAhYiIwZ7yBpwaUZ4CRwoanbru0Kvb/pACVFD5Fb7ExWn+k9tQVK3tSEccRx yEMAGTSbLBzrHwkoRxeFkv5b30iH+YpYsMWFhGtAqcZFc3/MGEzJlCclsO2GalsO ArYaAcyZBqDg4v2NJtIsovlskUcDo71t5SjNy2h3AdoX1tr9CE9asbCBnpn60fpX gnx1BqSvdThiRkQCAdN77t7RIwR9Di8gibfXH7TmIgUQ4laSJ2k4QnrLZ6ec45iI N33LC4SQju/KiKfO4jt8 =tZI3 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
