Re: traceroute & ping fail

To: William Jensen <jensenb@bodach.com>
Cc: debian-user@lists.debian.org
Subject: Re: traceroute & ping fail
From: George Bonser <george@shorelink.com>
Date: Sun, 1 Oct 2000 14:38:25 -0700 (PDT)
Message-id: <Pine.LNX.4.21.0010011428040.31474-100000@chester.shorelink.com>
In-reply-to: <20001001162645.B181@bodach.com>

On Sun, 1 Oct 2000, William Jensen wrote:

> Another update to myself and others that may want this information:
> 
> This update concerns traceroute.  If I added the following rules I can now
> traceroute to anywhere, but traceroutes to me fail:
> 
> $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
> $IPT -A INPUT -p icmp --icmp-type port-unreachable -j ACCEPT

There are a few more you should have for the network to operate
properly. There are other things such as MTU Path Discovery that need to
work.

You should, suggested by the ipchains HOWTO, be allowing these:

 -p icmp --icmp-type destination-unreachable -j ACCEPT
 -p icmp --icmp-type source-quench -j ACCEPT
 -p icmp --icmp-type time-exceeded -j ACCEPT
 -p icmp --icmp-type parameter-problem -j ACCEPT

Note destination-unreachable rather than port-unreachable. There are
several subtypes of destination-unreachable and port-unreachable is only
one of them.

Reply to:

References:
- Re: traceroute & ping fail
  - From: William Jensen <jensenb@bodach.com>

Prev by Date: Re: firewall (fwd)
Next by Date: Re: mounting /home?
Previous by thread: Re: traceroute & ping fail
Next by thread: Re: traceroute & ping fail
Index(es):
- Date
- Thread