(I start this as 'new', since it used to be part of a multiple question.)
Traceroute to an outside address is possible from the LAN-interface only; not from an opt-interface; despite of identical firewall rules. ping, however, works from both interfaces.
Here are the rules, as set up by m0n0wall:
...
pass in quick from 192.168.1.0/24 to any keep state group 300
pass in quick from 192.168.116.0/24 to any keep state group 100
...
(all rules are further down)
$ ifconfig | grep 192.168.116
inet addr:192.168.116.199 Bcast:192.168.116.255 Mask:255.255.255.0
$ ping 172.16.0.4
PING 172.16.0.4 (172.16.0.4) 56(84) bytes of data.
64 bytes from 172.16.0.4: icmp_seq=1 ttl=251 time=1.35 ms
64 bytes from 172.16.0.4: icmp_seq=2 ttl=251 time=1.27 ms
$ traceroute 172.16.0.4
traceroute to 172.16.0.4 (172.16.0.4), 30 hops max, 60 byte packets
1 firewall.my.box.my (192.168.116.200) 0.212 ms 0.255 ms 0.260 ms
2 172.20.16.1 (172.20.16.1) 1.105 ms 1.099 ms 1.105 ms
3 172.20.27.5 (172.20.27.5) 1.095 ms 172.20.27.1 (172.20.27.1) 1.090 ms 172.20.27.5 (172.20.27.5) 1.062 ms
4 172.16.2.243 (172.16.2.243) 1.072 ms 1.095 ms 1.135 ms
5 my.dmz.server.my (172.16.0.4) 1.550 ms 1.539 ms 1.576 ms
$ ifconfig | grep 192.168.1
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
$ ping 172.16.0.4
PING 172.16.0.4 (172.16.0.4): 56 data bytes
64 bytes from 172.16.0.4: icmp_seq=0 ttl=251 time=1.380 ms
64 bytes from 172.16.0.4: icmp_seq=1 ttl=251 time=0.990 ms
$ traceroute 172.16.0.4
traceroute to 172.16.0.4 (172.16.0.4), 64 hops max, 40 byte packets
1 192.168.1.200 (192.168.1.200) 0.329 ms 0.290 ms 0.305 ms
2 * * *
3 * * *
4 * * *
5 * * *
To demonstrate that the second box can 'traceroute' properly:
$ ifconfig | grep 192.168.1
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
$ traceroute 192.168.116.199
traceroute to 192.168.116.199 (192.168.116.199), 64 hops max, 40 byte packets
1 192.168.1.200 (192.168.1.200) 0.292 ms 0.291 ms 0.294 ms
2 192.168.116.199 (192.168.116.199) 0.457 ms 0.433 ms 0.450 ms
It only can't do so to the outside.
I tried the ipfstat -nio, but couldn't see any trace of icmp denied.
Uwe
Here are the complete rules:
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short
# block IP options
block in log quick all with ipopts
# allow access to DHCP server on LAN
pass in quick on fxp3 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp3 proto udp from any port = 68 to 192.168.116.200 port = 67
pass out quick on fxp3 proto udp from 192.168.116.200 port = 67 to any port = 68
# allow access to DHCP server on opt1
pass in quick on fxp1 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on fxp1 proto udp from any port = 68 to 192.168.1.200 port = 67
pass out quick on fxp1 proto udp from 192.168.1.200 port = 67 to any port = 68
# allow access to DHCP server on opt3
pass in quick on ath0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on ath0 proto udp from any port = 68 to 10.10.42.200 port = 67
pass out quick on ath0 proto udp from 10.10.42.200 port = 67 to any port = 68
# WAN spoof check
block in log quick on fxp0 from 192.168.116.0/24 to any
block in log quick on fxp0 from 192.168.1.0/24 to any
block in log quick on fxp0 from 172.24.0.200/31 to any
block in log quick on fxp0 from 10.10.42.0/24 to any
# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on fxp0 proto udp from any port = 68 to any port = 67
block in log quick on fxp0 proto udp from any port = 67 to 192.168.116.0/24 port = 68
pass in quick on fxp0 proto udp from any port = 67 to any port = 68
# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on fxp3 from ! 192.168.116.0/24 to any
block in log quick on fxp1 from ! 192.168.1.0/24 to any
block in log quick on fxp2 from ! 172.24.0.200/31 to any
block in log quick on ath0 from ! 10.10.42.0/24 to any
# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all
#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on fxp3 all head 100
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp3 all keep state
#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on fxp0 all head 200
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp0 all keep state
#---------------------------------------------------------------------------
# group head 300 - opt1 interface
#---------------------------------------------------------------------------
block in log quick on fxp1 all head 300
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp1 all keep state
#---------------------------------------------------------------------------
# group head 400 - opt2 interface
#---------------------------------------------------------------------------
block in log quick on fxp2 all head 400
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on fxp2 all keep state
#---------------------------------------------------------------------------
# group head 500 - opt3 interface
#---------------------------------------------------------------------------
block in log quick on ath0 all head 500
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on ath0 all keep state
# make sure the user cannot lock himself out of the webGUI
pass in quick from 192.168.116.0/24 to 192.168.116.200 keep state group 100
# User-defined rules follow
block in quick from 10.10.42.0/24 to 192.168.116.0/24 group 500
block in quick from 10.10.42.0/24 to 192.168.1.0/24 group 500
pass in quick from 10.10.42.0/24 to any keep state group 500
pass in quick from 192.168.1.0/24 to any keep state group 300
pass in quick from 192.168.116.0/24 to any keep state group 100
#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all
|
m0n0wall Forum > m0n0wall Support (English) > Firewall/NAT
Topic: Traceroute to WAN possible from LAN, but not from LAN2?