On 1/13/2011 at 5:59 AM David Walker wrote: |Hi Mike. | |Here's a couple of points. | |First, Windows uses ICMP only on traceroute (tracert) so there's |consistency between your Windows and FreeBSD internal hosts - it's an |ICMP blocked (in or out) issue. | |http://technet.microsoft.com/en-us/library/cc940128.aspx |
Hi David, Yes, I know that Windows uses ICMP for traceroute (I use both the Windows tracert command line utility and the SamSpade GUI utility). However, I have found that troubleshooting is always easier if one can eliminate Windows from the mix, that's why I reproduced the problem on the FreeBSD box (and also an OpenBSD notebook, but I didn't show those logs. They're the same as the FreeBSD results). |Can you ping and traceroute your router from your internal hosts? ping: yes traceroute (UDP): yes traceroute (ICMP): yes |Can you go the other way? ping: yes traceroute (UDP): yes traceroute (ICMP): yes |Second, and here we go into grey area, I'm no expert at the pf thing |and I do it slightly different to you. | [big snip] Many thanks for the additional info. I will do some exploring, reading and testing. One quick note, though, after a quick read of what you mentioned --- I think you might have hit upon something when you mentioned "something to do with the order of your match/block versus my block/pass". Traceroutes were working here previously. I rewrote the rules surrounding NAT when the new pf.conf syntax appeared, that's when I started noticing the traceroute issues.
