This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[5.012] Firewall is Traceroute visible NOT working

On 5.012, I have
"Firewall is Traceroute visible" enabled.

It works if I do a traceroute to any of ASL's interfaces.

However,
If I traceroute from INT to a machine in the DMZ, I get:

Code:

C:\>tracert 10.0.0.10

Tracing route to linux [10.0.0.10]
over a maximum of 30 hops:

  1     *        *        *     Request timed out.
  2

The DMZ server shows up but the firewall does not.

The packetfilter log shows:
Code:

2004:06:27-11:26:44 (none) kernel: DROP: IN= OUT=eth0 SRC=192.168.11.1 DST=192.168.11.13 LEN=120 TOS=0x00 PREC=0xC0 TTL=64 ID=44735 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.11.13 DST=10.0.0.10 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=26162 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25856 ]

192.168.11.1 is the firewall, 11.13 is the PC.

It looks to me like the REPLY packets are getting dropped by the firewall for some reason.

Thanks,
Barry

This thread was automatically locked due to age.

0 firebear_01 over 21 years ago

Hi,
it seems that the option makes the firewall traceroutevisible if you tracerout the firewall.
But not if you traceroute a target behind the firewall.

firebear
Cancel
Vote Up 0 Vote Down

Cancel
0 bce over 21 years ago in reply to firebear_01

Hi,
this is not completly true, i think the mistake is somwhere else. (ips) or ping on firwall.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago in reply to bce

IPS is off, and Ping on Firewall is enabled.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago

Traceroute through ASL still doesn't work in 5.016

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago in reply to BarryG

Still not working in 5.023!
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 21 years ago in reply to BarryG

Can anyone confirm or deny this as a bug?

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to BarryG

Still not working in 5.024!

Help!
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to BarryG
Also, I have now noticed that traceroute does not work from ASL5, despite the fact that I have ALL the ICMP settings ON.
Code:
# traceroute 69.166.208.1
traceroute to 69.166.208.1 (69.166.208.1), 30 hops max, 40 byte packets
send failed: Operation not permitted
send failed: Operation not permitted
send failed: Operation not permitted
send failed: Operation not permitted
...

I think this is related to traceroute not working right through ASL.

Please respond.

I am using MASQ btw.

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 SecApp over 20 years ago

It sounds like you know what you are doing, and you probably did it;
but it has not been explicitly stated above.

But just to be thorough: the machine on the DMZ:
is its gateway set to Astaro?
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to SecApp

Yes, the INT and DMZ machines have gateways set correctly.

DMZ:
10.0.0.0/24
gw: 10.0.0.1 (Astaro's DMZ interface)

INT:
192.168.11.0/24
gw: 192.168.11.1 (Astaro's INT interface)

I have MASQ for DMZ -> EXT and INT -> EXT

Traceroute works, but the ASL hop times out.

Also, traceroute does not work at all from the ASL console.

Is traceroute working on your ASL5? If so, are you using MASQ?

Thanks,
Barry
Cancel
Vote Up 0 Vote Down

Cancel