On Wednesday 30 June 2004 5:25 pm, Peter Marshall wrote:
> It is fixed now .. I needed the established / related to be icmp and on
> both subchains (in and out) of the forwared chain pertaining to the ip
> address of the machine that I was running the traceroute from.
>
> Thank you all for the help.
>
> The strange thing is that I also had to allow icmp type 11 on the output
> chain (comming into my dmz) ... I do not understand why I need this here ..
> but it does not work without it ...
Aha :) So you *do* have a DMZ after all... Okay.
The reason you need ICMP type 11 on the OUTPUT chain (presumably facing
towards the client machine running the traceroute) is so that the TTL
Exceeded message generated by the firewall itself can exit the machine.
It should only affect that specific hop - all others should work even if you
just get * * * for the firewall itself.
(I assume you *do* know how traceroute works? The client sends several
packets, all addressed to the target of the traceroute, with the first packet
having TTL=1, the second packet having TTL=2, the third packet..... etc
Each router which the packets pass through decrements the TTL value, and
returns ICMP TTL Exceeded if the value becomes zero. Therefore each router
along the way generates one message back to the originating client, and all
the routers up to that point forward both the original packet and the ICMP
response.)
Regards,
Antony.
--
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.
In poetry, it is the exact opposite.
- Paul Dirac
Please reply to the list;
please don't CC me.
