[Techtalk] Firewall blocking traceroute
Devdas Bhagat
devdas at dvb.homelinux.org
Mon Aug 2 15:21:48 EST 2004
On 01/08/04 18:06 -0400, Terri Oda wrote:
> My router/firewall seems to work fine if I want to ping something, but
> won't let me traceroute. I don't have any trouble if I connect to the
> modem directly, but I have trouble when I go through the firewall.
>
> As far as I can tell from docs online, it should work as long as I can
> receive and send ICMP packets. But even when I allow those in, I don't
> get past my router on traceroute.
Unix traceroute uses UDP by default. Windows traceroute uses ICMP both
ways.
You can use the -I option to traceroute(8) to have it use ICMP instead
of UDP.
>
> The firewall rules I was trying are (roughly) this:
>
> allow [the Internet] to send [this machine] ICMP
> allow [machines inside my LAN] to send [the Internet] anything
> deny [the Internet] from sending [machines inside my LAN] anything
> (other than ICMP)
Is this a device where we can get actual rulesets out?
> I'm clearly missing something for the traceroute, but I my google
> searches haven't turned up anything that suggests I need anything other
> than ICMP.
>
> (And yes, I realize that firewall isn't particularly strict, but I
> thought it best to leave it fairly open while I'm trying to figure
> things out. If anyone's got documents on firewall rules they want to
> recommend, though, it can't hurt. :) )
Which firewall in particular? If Linux, the iptables tutorial at
http://iptables-tutorial.frozentux.net/ is recommended if a packet
filter makes you feel safe enough.
Devdas Bhagat
More information about the Techtalk
mailing list