From: Anders Fugmann <afu@fugmann.dhs.org>
To: netfilter@lists.netfilter.org
Subject: traceroute:
Date: Sun, 25 May 2003 22:45:27 +0200 [thread overview]
Message-ID: <3ED12B67.3030104@fugmann.dhs.org> (raw)
Hi,
I'm having problems doing traceroute through my firewall.
It seems that the rule:
iptables -A OUTPUT -m state --state INVALID -j DROP
catches the ICMP error messages that is returned when TTL=0, and hence
traceoute comes out showing "* * *" instead of the name of my firewall.
When logging the INVALID packets, this is entered in the system log:
May 25 22:38:42 debian kernel: INVALID:IN= OUT=eth1 SRC=10.0.0.254
DST=10.0.0.2 LEN=66 TOS=0x00 PREC=0xC0 TTL=64 ID=52226 PROTO=ICMP
TYPE=11 CODE=0 [SRC=10.0.0.2 DST=130.225.76.31 LEN=38 TOS=0x00 PREC=0x00
TTL=1 ID=46519 PROTO=UDP SPT=46518 DPT=33435 LEN=18 ]
Is this a known problem, or is blocking outgoing invalid packets not
recommended?
Regards
Anders Fugmann
reply other threads:[~2003-05-25 20:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3ED12B67.3030104@fugmann.dhs.org \
--to=afu@fugmann.dhs.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.