Actually, as far as I can see, your F/W is doing exactly what it should be
doing. During any ICMP request, the firewall is simply ignoring it. To
issue a repsonse of any kind would be acknowledging the validity of that
address, thus making it a possible target.
If you are trying to test the functionality of the firewall, set up the
firewall to NAT your public address to one of your internal PC's private
address (NAT with DMZ passthrough). Then do your "outside-looking-in" trace
and the PC should respond to the echo request.
As for the "inside-out" trace you mentioned in your post, I'm confused as to
the output you listed. I would think that you would see something like:
[eben@pc eben]$ /usr/sbin/tracepath yahoo.com
?: [LOCALHOST] pmtu 1500
1: usr8054 (192.168.1.25)
asymm 2 0.518ms
2: ddd-ccc.bbb-aaa.tampabay.rr.com (aaa.bbb.ccc.ddd) asymm 15
82.184ms
3: blah....blah...blah...internet hops
.......
19: www.akadns.yahoo.com (216.109.118.71) asymm xx
yy.yyyms
The firewall wouldn't respond, but the next hop after the firewall should
(in this case, your cable modem), as should every other hop along the path.
If you simply want to change the message your Linux box spits out, i.e. host
unreachable, instead of no reply, then someone else will have to chime in on
how to change the interpretation of the ICMP repsonse.
Steve
----- Original Message -----
From: "Eben King" <eben1@tampabay.rr.com>
To: "Florida Linux Users' Group" <flalug@nks.net>
Sent: Sunday, December 14, 2003 5:14 PM
Subject: [newletters] [flalug] firewall gurus, help please!
> OK. I've screwed up traceroute somehow. It worked under my previous
> router (ipchains, Linux 2.0.x, P75), but I just checked it under my new
> router (USR 8054), and it doesn't. From the inside, I get something like
>
> [eben@pc eben]$ /usr/sbin/tracepath yahoo.com
> 1?: [LOCALHOST] pmtu 1500
> 1: usr8054 (192.168.1.25) asymm 2
0.518ms
> 2: no reply
> 3: no reply
> ... (repeat until killed)
>
> And from the outside,
> [eben@monkey eben]$ /usr/sbin/tracepath aaa.bbb.ccc.ddd
> 1?: [LOCALHOST] pmtu 1500
> 1: ssrb-core-msfc-v212.ns.ufl.edu (128.227.212.1) 0.724ms
> ...
> 19: ddd-ccc.bbb-aaa.tampabay.rr.com (aaa.bbb.ccc.ddd) asymm 15
82.184ms
> 20: no reply
> 21: no reply
> ... (repeat until killed)
>
> When I tracepath the router, I get this:
> [eben@pc networking]$ /usr/sbin/tracepath usr8054
> 1?: [LOCALHOST] pmtu 1500
> 1: usr8054 (192.168.1.25) asymm 2
0.675ms
> 1?: usr8054 (192.168.1.25) asymm 2 reached
> Resume: pmtu 1500 hops 1 back 2
>
> The network looks like this:
>
> +--------+
> | monkey |
> +--------+
> |
> ( internet )
> |
> +-------------+
> | cable modem |
> +-------------+
> |
> +------+ +-----------+
> | USR | | laptop |
> | 8054 ~ ~ (802.11b) |
> +------+ +-----------+
> |
> - - ----------------- - -
> | | | | |
> +-+ +-+ +-+ +-+ +-+
> |X| | | | | | | | |
> +-+ +-+ +-+ +-+ +-+
> ^
> my machine
>
> AFAIK, I need to make sure ICMP "port unreachable" messages get to my
> computer. Is this correct? Any idea how to do that? Thanks.
>
> --
> -eben ebQenW1@EtaRmpTabYayU.rIr.OcoPm home.tampabay.rr.com/hactar
> CANCER: The position of Jupiter says that you should spend the
> rest of the week face down in the mud. Try not to shove a roll of
> duct tape up your nose when taking your driver's test. -- Weird Al
>
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:59:54 EDT