[ previous ] [ next ] [ threads ]
 
 From:  "Bruce B. Lacey" <Bruce at BLacey dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Traceroute filtered by default?
 Date:  Sat, 10 Apr 2004 08:47:35 -0700
First, I am new to the list and have been experimenting with m0n0wall 
1.1b1 on a Soekris 4801; accolades to Manuel and others for a job well 
done!  My previous firewall was a FreeBSD 4.8 box running IPFilter but 
also served as my web server, media server, etc. (I know, not the best 
idea).  Thus I have been in the market for a firewall appliance but I 
didn't want to give up the flexibility of the FreeBSD/IPFilter 
combination that I had become accustomed to; luckily I discovered 
m0n0wall.  I have transitioned NATting, Packet filtering and dyndns 
management to the m0n0wall but retained DHCP, DNS, the ipmon logging 
and mrtg on my FreeBSD server; an excellent combination.

Having said that, everything is working well but I can not traceroute 
from my private LAN to the WAN.  I configured my m0n0wall as follows:

sis0:	   LAN I/F with private subnet 192.168/16
sis2:   WAN I/F configured via WAN-side DHCP

My interpretation of the default m0n0wall LAN rules:

@15 block in log quick on sis0 from any to any head 100
@1 pass in quick from 192.168.0.0/16 to 192.168.0.200/32 keep state 
group 100
@2 pass in quick from 192.168.0.0/16 to any keep state keep frags group 
100

Rule 2 should allow the traceroute UDP packets into the LAN I/F sis0 
destined for the WAN I/F sis2 maintaining UDP state.  Right?

The default m0n0wall rule:

@5 pass out quick on sis2 from any to any keep state

should allow traceroute UDP packets out the WAN I/F sis2 and retain UDP 
state allowing the return icmp packets to enter the WAN I/F sis2.  The 
return packets should be routed back to the LAN I/F and allowed to pass 
because the state was retained.  Right?

So where am I going wrong?  Here is a sample traceroute from a host on 
the private LAN.

526$ traceroute www.apple.com
traceroute to www.apple.com.akadns.net (17.254.0.91), 30 hops max, 40 
byte packets
  1  m0n0wall (192.168.x.x)  1.312 ms  0.467 ms  0.537 ms
  2  * * *
  3  * * *
  4  * * *
  5  * * *
  6  * * *
  7  * * *
  8  * * *
  9  * * *
10  * * *

Thanks in advance,
Bruce