On Sun, 14 Dec 2003, Eben King wrote:
> OK. I've screwed up traceroute somehow. It worked under my previous
> router (ipchains, Linux 2.0.x, P75), but I just checked it under my new
> router (USR 8054), and it doesn't. From the inside, I get something like
To make traceroute work from the inside to the outside, you need the
firewall to do two things:
1) Pass the outgoing UDP probe packets (they are usually addressed to port
33434 but this can vary depending on the traceroute client)
2) Maintain state for the probe packets, so that ICMP messages sent in
response to them are properly passed back in to the client
As an alternative to #2, if your firewall software doesn't maintain state
properly, you can allow any ICMP port unreachable and time exceeded
messages back through.
Tracerouting from the outside to the inside is trickier. As in #1 above,
the destination UDP port used by the probe packets is variable. So you
basically have to pass all UDP traffic unless it's just a debugging tool
for yourself, and you can safely guarantee the port assignment. But
otherwise the same two issues above apply in reverse; the UDP probes have
to come in and the ICMP responses have to go back out (both from the
firewall and the machines behind it).
NAT, of course, confuses things further if you use it. But that's the
basic story on traceroute.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 19:37:21 EDT